Amazon CloudWatch Logs AWS-logs

3 operations, identified by eventName in the audit log.

eventName	Description
_catch_all	Catch-all entry for AWS-logs rules that match the service but not a specific eventName.
DeleteLogGroup	Deletes the specified CloudWatch Logs log group and all its associated log streams, subscription filters, metric filters, and retention policies.
DeleteLogStream	Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.

_catch_all: AWS-logs (catch-all)

Service: AWS-logs

Description

Catch-all entry for AWS-logs rules that match the service but not a specific eventName.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

DeleteLogGroup

Service: AWS-logs

Description

Deletes the specified CloudWatch Logs log group and all its associated log streams, subscription filters, metric filters, and retention policies.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`logs.amazonaws.com`	1 rule	elastic
`aws::errorCode`	eq	`success`	1 rule	splunk
`aws::eventName`	eq	`DeleteLogGroup`	1 rule	splunk
`userAgent`	ne	`console.amazonaws.com`	1 rule	splunk

Detection Rules #

View all rules referencing this event →

Elastic #

AWS CloudWatch Log Group Deletion source medium: Detects the deletion of an Amazon CloudWatch Log Group using the "DeleteLogGroup" API. CloudWatch log groups store operational and security logs for AWS services and custom applications. Deleting a log group permanently removes all associated log streams and historical log data, which can eliminate forensic evidence and disrupt security monitoring pipelines. Adversaries may delete log groups to conceal malicious activity, disable log forwarding, or impede incident response.

Splunk #

AWS Defense Evasion Delete CloudWatch Log Group source: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through DeleteLogGroup events in CloudTrail logs. This detection leverages CloudTrail data to monitor for successful log group deletions, excluding…

YARA-L #

AWS Delete CloudWatch Log Group source: Detects when a CloudWatch log group is deleted.

DeleteLogStream

Service: AWS-logs

Description

Deletes the specified log stream and permanently deletes all the archived log events associated with the log stream.

Fields #

Name	Description
`eventName`	The name of the API action that was called.
`eventSource`	The AWS service endpoint that received the request (e.g. iam.amazonaws.com).
`eventType`	CloudTrail event category: AwsApiCall, AwsConsoleSignIn, AwsConsoleAction, AwsServiceEvent, or AwsVpceEvents.
`userIdentity`	The IAM entity that made the request (type, principalId, arn, accountId, sessionContext).
`sourceIPAddress`	IP address of the caller, or the AWS service principal for service-initiated calls.
`awsRegion`	AWS Region the request was made to.
`requestParameters`	Parameters sent with the request. Shape is action-specific; null when none.
`responseElements`	Response elements. Shape is action-specific; null for reads or when absent.
`errorCode`	AWS service error code when the request failed. Absent on success.
`errorMessage`	Description of the error when errorCode is present.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`logs.amazonaws.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

AWS CloudWatch Log Stream Deletion source medium: Detects the deletion of an Amazon CloudWatch log stream using the "DeleteLogStream" API. Deleting a log stream permanently removes its associated log events and may disrupt security visibility, break audit trails, or suppress forensic evidence. Adversaries may delete log streams to conceal malicious actions, impair monitoring pipelines, or remove artifacts generated during post-exploitation activity.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Amazon CloudWatch Logs AWS-logs

_catch_all: AWS-logs (catch-all)

Description

Fields #

DeleteLogGroup

Description

Fields #

Common Indicators #

Detection Rules #

Elastic #

Splunk #

YARA-L #

DeleteLogStream

Description

Fields #

Common Indicators #

Detection Rules #

Elastic #

Keyboard shortcuts

Search operators