AWS EventBridge Rule Disabled or Deleted

Last updated 22 days ago on 2026-01-16

Created 4 years ago on 2021-10-17

About

Identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules are commonly used to automate operational workflows and security-relevant routing (for example, forwarding events to Lambda, SNS/SQS, or security tooling). Disabling or deleting a rule can break critical integrations, suppress detections, and reduce visibility. Adversaries may intentionally impair EventBridge rules to disrupt monitoring, delay response, or hide follow-on actions.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EventBridgeTactic: ImpactLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

↳ Service Stop (T1489)(external, opens in a new tab or window)

False Positive Examples

EventBridge rules may be disabled or deleted during legitimate maintenance, refactoring, environment teardown, or migration to new event patterns/targets. Verify whether the initiating identity, user agent, and source host are expected to administer EventBridge and whether the change aligns with an approved change window or deployment.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: aws.cloudtrail 
    and event.provider: events.amazonaws.com 
    and event.action: (DeleteRule or DisableRule) 
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS EventBridge Rule Disabled or Deleted in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).