a log stream may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. log stream deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml>elastic
technicques: T1485 T1562

Techniques

Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.

event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success