Rules Contributing to Suspicious AWS VPC Flow Logs Modification Alert

The following rules are used to identify suspicious modification of AWS VPC Flow logs. Any one or more of these will trigger Suspicious AWS VPC Flow Logs Modification Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS VPC Flow Logs Deletion

Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.

More details

Rule ID

aws_66

Query

{'selection1': {'eventSource': 'ec2.amazonaws.com'}, 'selection2': {'eventName': 'DeleteFlowLogs'}, 'condition': 'selection1 and selection2'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0005, T1562

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2020/06/15	high	Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.