AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call. Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
Sigma rule (View on GitHub)
1title: AWS VPC Flow Logs Deleted
2id: e386b9b5-af12-450e-afff-761730fb8a98
3status: experimental
4description: |
5 Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
6 Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
7references:
8 - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
9 - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html
10 - https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
11author: Ivan Saakov
12date: 2025-10-19
13tags:
14 - attack.stealth
15logsource:
16 product: aws
17 service: cloudtrail
18detection:
19 selection_event_name:
20 eventName: 'DeleteFlowLogs'
21 selection_status_success:
22 errorCode: 'Success'
23 selection_status_null:
24 errorCode: null
25 condition: selection_event_name and 1 of selection_status_*
26falsepositives:
27 - During maintenance operations or testing, authorized administrators may delete VPC Flow Logs as part of routine network management or cleanup activities.
28level: high
References
-
-
-
Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses...
Read More
Related rules
- .RDP File Created By Uncommon Application
- ADS Zone.Identifier Deleted By Uncommon Application
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- APT29 2018 Phishing Campaign CommandLine Indicators