Skip to content

10.md

Latest commit

 

History

History
55 lines (43 loc) · 1.38 KB

10.md

File metadata and controls

55 lines (43 loc) · 1.38 KB

10.SOCLabs: AWS Remove VPC Flow Logs

https://www.soc-labs.top/en/detections/90

Goal:

Detect API calls that delete VPC Flow Log configurations and identify key operational events that may disrupt network traffic monitoring.

Detailed Reasoning :

  1. Searched here: https://docs.aws.amazon.com/ (for: VPC)
  2. Searched here: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html (for: "delete under logs")
  3. Jotted down links:

Sigma Query:

title: AWS Remove VPC Flow Logs
status: test
description: AWS Remove VPC Flow Logs
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
author: Soumyanil Biswas
date: 2025-10-15
modified: 2025-10-15
tags:
    - attack.xxxx
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: ec2.amazonaws.com
        eventType: AwsApiCall
        
        # Deletes one or more flow logs.
        eventName: DeleteFlowLogs
        
    condition: selection 
falsepositives:
    - unknown
level: high
fields:
    - eventName
    - sourceIPAddress
    - eventID
    - eventSource
    - userIdentity.arn

Query Result:

image