Elastic Security Detection Rules

AWS Lambda Function Deletion

Last updated 6 days ago on 2026-06-18
Created 6 days ago on 2026-06-18

About

Identifies the deletion of an AWS Lambda function. Deleting a function removes its code, configuration, versions, and aliases. Adversaries may delete functions to disrupt business operations and automated workflows, to destroy attacker-deployed backdoors and remove evidence after achieving their objective, or to inhibit incident response. Because function deletion is destructive and often irreversible without redeployment, deletions performed by unexpected principals or outside change windows should be reviewed.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS LambdaUse Case: Threat DetectionTactic: ImpactLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Impact (TA0040)(external, opens in a new tab or window)

Data Destruction (T1485)(external, opens in a new tab or window)

Service Stop (T1489)(external, opens in a new tab or window)

False Positive Examples
Lambda functions are routinely deleted during application decommissioning, environment teardown, and infrastructure-as-code apply/destroy cycles. Verify whether the principal in `aws.cloudtrail.user_identity.arn` and the deleted function are expected for the workload, and whether the change aligns with an approved maintenance or deployment window. Known deployment roles and automation can be excluded after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail"
    and event.provider: "lambda.amazonaws.com"
    and event.action: (DeleteFunction or DeleteFunction20*)
    and event.outcome: "success"

Install detection rules in Elastic Security

Detect AWS Lambda Function Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).