Rules Contributing to Suspicious AWS VPC Flow Logs Modification Alert
The following rules are used to identify suspicious modification of AWS VPC Flow logs. Any one or more of these will trigger Suspicious AWS VPC Flow Logs Modification Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
AWS VPC Flow Logs Deletion |
Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. More details
Rule IDQuery{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'DeleteFlowLogs'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|