Rules: AWS CloudWatch Alarm Deletion
Detects the AWS CloudWatch DeleteAlarms API action. DeleteAlarms deletes the specified alarms. You can delete up to 100 alarms in one operation. However, this total can include no more than one composite alarm. For example, you could delete 99 metric alarms and one composite alarms with one operation, but you can't delete two composite alarms with one operation.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Impact |
| Apply Risk to Entities | device_ip, user_username, srcDevice_ip, device_hostname, srcDevice_hostname |
| Signal Name | AWS CloudWatch Alarm Deletion |
| Summary Expression | {{action}} performed by user: {{user_username}} |
| Score/Severity | Static: 3 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTechnique:T1562, _mitreAttackTactic:TA0005, _mitreAttackTechnique:T1562.008, _mitreAttackTechnique:T1562.001 |
| Origin | Field |
|---|---|
| Normalized Schema | action |
| Normalized Schema | application |
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | listMatches |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |