eventbridge rules may be disabled or deleted during legitimate maintenance, refactoring, environment teardown, or migration to new event patterns/targets. verify whether the initiating identity, user agent, and source host are expected to administer eventbridge and whether the change aligns with an approved change window or deployment.

t1489
aws
elastic

Techniques

T1489

Sample rules

AWS EventBridge Rule Disabled or Deleted

source: elastic
technicques:
- T1489

Description

Identifies when an Amazon EventBridge rule is disabled or deleted. EventBridge rules are commonly used to automate operational workflows and security-relevant routing (for example, forwarding events to Lambda, SNS/SQS, or security tooling). Disabling or deleting a rule can break critical integrations, suppress detections, and reduce visibility. Adversaries may intentionally impair EventBridge rules to disrupt monitoring, delay response, or hide follow-on actions.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: events.amazonaws.com 
    and event.action: (DeleteRule or DisableRule) 
    and event.outcome: success