Elastic Security Detection Rules

AWS CloudWatch Log Group Deletion

Last updated 2 months ago on 2025-11-13
Created 6 years ago on 2020-05-18

About

Detects the deletion of an Amazon CloudWatch Log Group using the "DeleteLogGroup" API. CloudWatch log groups store operational and security logs for AWS services and custom applications. Deleting a log group permanently removes all associated log streams and historical log data, which can eliminate forensic evidence and disrupt security monitoring pipelines. Adversaries may delete log groups to conceal malicious activity, disable log forwarding, or impede incident response.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: Amazon CloudWatchUse Case: Log AuditingTactic: Defense EvasionTactic: ImpactLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

Data Destruction (T1485)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples
CloudWatch log group deletions may occur during normal maintenance or infrastructure re-deployments, especially in environments managed by IaC tools (e.g., Terraform, CloudFormation, CDK). Automation pipelines may recreate log groups as part of expected workflows. Verify that the identity, user agent, and source IP match approved administrative or automation activity. If deletions are routine for specific automation roles or CI/CD hosts, consider adding scoped exceptions.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail" 
  and event.provider: "logs.amazonaws.com" 
  and event.action: "DeleteLogGroup" 
  and event.outcome: "success"
  and source.ip: * 
  and not user_agent.original : "AWS Internal"

Install detection rules in Elastic Security

Detect AWS CloudWatch Log Group Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).