aws administrator legitimately disabling bucket versioning

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml>sigma
technicques: t1490

Techniques

Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.

condition: selection
selection:
  eventName: PutBucketVersioning
  eventSource: s3.amazonaws.com
  requestParameters|contains: Suspended