Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

AWS VPC Flow Logs Deleted

Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call. Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ivan SaakovCreated Sun Oct 19e386b9b5-af12-450e-afff-761730fb8a98cloud
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic3 selectors
detection:
    selection_event_name:
        eventName: 'DeleteFlowLogs'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event_name and 1 of selection_status_*
False Positives

During maintenance operations or testing, authorized administrators may delete VPC Flow Logs as part of routine network management or cleanup activities.

References
1
Resolving title…
docs.aws.amazon.com
2
Resolving title…
awscli.amazonaws.com
3
Resolving title…
elastic.co
MITRE ATT&CK
Rule Metadata
Rule ID
e386b9b5-af12-450e-afff-761730fb8a98
Status
experimental
Level
high
Type
Detection
Created
Sun Oct 19
Author
Ivan Saakov
Path
rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml
Raw Tags
attack.defense-evasion
View on GitHub