legitimate deletion of route53 resolver query log configuration by authorized personnel.

t1562
aws
elastic

Techniques

T1562

Sample rules

Route53 Resolver Query Log Configuration Deleted

source: elastic
technicques:
- T1562

Description

Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks.

Detection logic

event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com
    and event.action: DeleteResolverQueryLogConfig and event.outcome: success