Elastic Security Detection Rules

AWS CloudWatch Alarm Deletion

Last updated 2 months ago on 2025-11-13
Created 6 years ago on 2020-06-15

About

Detects the deletion of one or more Amazon CloudWatch alarms using the "DeleteAlarms" API. CloudWatch alarms are critical for monitoring metrics and triggering alerts when thresholds are exceeded. An adversary may delete alarms to impair visibility, silence alerts, and evade detection following malicious activity. This behavior may occur during post-exploitation or cleanup phases to remove traces of compromise or disable automated responses.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: Amazon CloudWatchTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Impair Defenses (T1562)(external, opens in a new tab or window)

False Positive Examples
CloudWatch alarm deletions can occur legitimately during scheduled maintenance, infrastructure redeployments, or automation workflows that clean up temporary monitoring configurations. Verify that the user identity, role, and IP address are expected for the environment. If deletions are performed by CI/CD pipelines or authorized administrators during controlled operations, consider adding exceptions based on specific IAM roles, automation accounts, or IP address ranges.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail" 
  and event.provider: "monitoring.amazonaws.com" 
  and event.action: "DeleteAlarms"
  and event.outcome: "success"
  and source.ip: *
  and not user_agent.original : "AWS Internal"

Install detection rules in Elastic Security

Detect AWS CloudWatch Alarm Deletion in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).