AWS CloudWatch Log Stream Deletion

  1[metadata]
  2creation_date = "2020/05/20"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/11/13"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the deletion of an Amazon CloudWatch log stream using the "DeleteLogStream" API. Deleting a log stream
 11permanently removes its associated log events and may disrupt security visibility, break audit trails, or suppress
 12forensic evidence. Adversaries may delete log streams to conceal malicious actions, impair monitoring pipelines, or
 13remove artifacts generated during post-exploitation activity.
 14"""
 15false_positives = [
 16    """
 17    CloudWatch log streams may be deleted legitimately during log rotation processes, test environment resets, or
 18    infrastructure deployments that recreate log groups and streams. Validate the identity, automation pipeline, and IP
 19    address associated with the deletion. If deletions are expected from specific CI/CD systems or administrative roles,
 20    consider adding targeted exceptions.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS CloudWatch Log Stream Deletion"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
 32> While every effort has been made to ensure its quality, validate and adapt it to your operational context.
 33
 34### Investigating AWS CloudWatch Log Stream Deletion
 35
 36CloudWatch log streams contain sequential log events from a single application, service, or AWS resource.  
 37Deleting a log stream permanently removes its archived log events, which may disable monitoring workflows, eliminate 
 38critical telemetry, or disrupt forensic visibility.
 39
 40Adversaries may delete log streams to cover their tracks after unauthorized actions, break ingestion pipelines feeding SIEM, alerting, or anomaly detection or to remove evidence before escalating privileges or moving laterally. This rule detects successful invocations of the `DeleteLogStream` API from CloudTrail.
 41
 42#### Possible investigation steps
 43
 44- **Identify the actor**
 45  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.  
 46  - Confirm whether the user or role normally manages CloudWatch Logs resources.
 47
 48- **Review request details**
 49  - Inspect `aws.cloudtrail.request_parameters` to determine which log stream and parent log group were deleted.  
 50  - Assess the importance of the deleted stream:
 51    - Was it used for VPC Flow Logs, CloudTrail, Lambda functions, ECS tasks, or application logs?  
 52    - Did it contain logs used for security detection or compliance auditing?
 53
 54- **Examine request origin and context**
 55  - Review `source.ip` and `user_agent.original` for anomalies (e.g., unfamiliar CLI tools, suspicious automation, 
 56    unknown IP ranges, or external geolocations).
 57  - Validate whether the request originated from a legitimate automation host or jump box.  
 58  - Check activity around the same timestamp for related operations such as:
 59    - `DeleteLogGroup`
 60    - `StopLogging`, `UpdateTrail`, or `DeleteTrail`
 61    - GuardDuty detector or CloudWatch alarm deletions
 62    - IAM policy or role modifications
 63
 64- **Determine operational justification**
 65  - Consult change management systems or deployment pipelines to confirm whether the deletion was planned.  
 66  - Contact application owners or platform teams to determine whether the log stream was part of normal rotation or cleanup.
 67
 68- **Investigate broader compromise indicators**
 69  - Look for suspicious activity by the same identity in the past 24–48 hours, such as:
 70    - Failed authentication attempts  
 71    - IAM privilege escalations  
 72    - Unusual STS AssumeRole usage  
 73    - Access from new geolocations  
 74
 75### False positive analysis
 76
 77- **Log rotation and automation**
 78  - Some systems delete log streams automatically when rolling new deployments or recycling compute resources.
 79  - CI/CD pipelines managing immutable infrastructure may delete and recreate streams during each deploy.
 80
 81- **Test and development accounts**
 82  - Dev/test environments may frequently create and delete log streams as part of iterative work.
 83
 84- **Bulk cleanup operations**
 85  - Platform engineering teams may delete obsolete log streams during cost-optimization or log-retention management.
 86
 87If the rule triggers frequently from known infrastructure accounts or automation hosts, consider adding narrow exceptions using a combination of IAM role, IP range, or user agent.
 88
 89### Response and remediation
 90
 91- **Containment**
 92  - If the deletion is unauthorized, review other CloudWatch resources for additional tampering (alarms, log groups, metric filters).
 93  - Temporarily restrict permissions for the implicated IAM user or role.
 94
 95- **Investigation**
 96  - Reconstruct any missing telemetry from alternative sources (e.g., S3 buckets, application logs, third-party logging systems).
 97  - Review CloudTrail and Config timelines for preceding suspicious events.
 98  - Validate whether the deleted log stream contained evidence of prior compromise.
 99
100- **Recovery and hardening**
101  - Implement IAM least-privilege for `logs:DeleteLogStream`.
102  - Enable AWS Config rules to monitor CloudWatch Logs configuration changes.  
103  - Ensure that business-critical log groups enforce minimum retention periods and prevent accidental deletion.
104  - Integrate log stream lifecycle management into CI/CD to avoid manual deletions.
105  - Establish guardrails using Service Control Policies (SCPs) to block log deletions outside designated automation roles.
106
107### Additional information
108
109- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
110- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
111- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
112"""
113references = [
114    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html",
115    "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html",
116]
117risk_score = 47
118rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
119severity = "medium"
120tags = [
121    "Domain: Cloud",
122    "Data Source: AWS",
123    "Data Source: Amazon Web Services",
124    "Data Source: Amazon CloudWatch",
125    "Use Case: Log Auditing",
126    "Tactic: Defense Evasion",
127    "Tactic: Impact",
128    "Resources: Investigation Guide",
129]
130timestamp_override = "event.ingested"
131type = "query"
132
133query = '''
134event.dataset: "aws.cloudtrail" 
135  and event.provider: "logs.amazonaws.com" 
136  and event.action: "DeleteLogStream" 
137  and event.outcome: "success"
138  and source.ip: * 
139  and not user_agent.original : "AWS Internal"
140'''
141
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1485"
147name = "Data Destruction"
148reference = "https://attack.mitre.org/techniques/T1485/"
149
150
151[rule.threat.tactic]
152id = "TA0040"
153name = "Impact"
154reference = "https://attack.mitre.org/tactics/TA0040/"
155[[rule.threat]]
156framework = "MITRE ATT&CK"
157[[rule.threat.technique]]
158id = "T1562"
159name = "Impair Defenses"
160reference = "https://attack.mitre.org/techniques/T1562/"
161[[rule.threat.technique.subtechnique]]
162id = "T1562.001"
163name = "Disable or Modify Tools"
164reference = "https://attack.mitre.org/techniques/T1562/001/"
165
166
167
168[rule.threat.tactic]
169id = "TA0005"
170name = "Defense Evasion"
171reference = "https://attack.mitre.org/tactics/TA0005/"
172
173[rule.investigation_fields]
174field_names = [
175    "@timestamp",
176    "user.name",
177    "user_agent.original",
178    "source.ip",
179    "aws.cloudtrail.user_identity.arn",
180    "aws.cloudtrail.user_identity.type",
181    "aws.cloudtrail.user_identity.access_key_id",
182    "target.entity.id",
183    "event.action",
184    "event.outcome",
185    "cloud.account.id",
186    "cloud.region",
187    "aws.cloudtrail.request_parameters",
188]