cloudwatch alarm deletions can occur legitimately during scheduled maintenance, infrastructure redeployments, or automation workflows that clean up temporary monitoring configurations. verify that the user identity, role, and ip address are expected for the environment. if deletions are performed by ci/cd pipelines or authorized administrators during controlled operations, consider adding exceptions based on specific iam roles, automation accounts, or ip address ranges.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS CloudWatch Alarm Deletion

source: elastic
technicques:
- T1562

Description

Detects the deletion of one or more Amazon CloudWatch alarms using the “DeleteAlarms” API. CloudWatch alarms are critical for monitoring metrics and triggering alerts when thresholds are exceeded. An adversary may delete alarms to impair visibility, silence alerts, and evade detection following malicious activity. This behavior may occur during post-exploitation or cleanup phases to remove traces of compromise or disable automated responses.

Detection logic

event.dataset: "aws.cloudtrail" 
  and event.provider: "monitoring.amazonaws.com" 
  and event.action: "DeleteAlarms"
  and event.outcome: "success"
  and source.ip: *
  and not user_agent.original : "AWS Internal"