legitimate group deletion during decommissioning of projects, clean-up of service accounts, or identity lifecycle changes may trigger this alert. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. resource group deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1531
aws
elastic

Techniques

T1531

Sample rules

AWS IAM Group Deletion

source: elastic
technicques:
- T1531

Description

Detects when an IAM group is deleted using the DeleteGroup API call. Deletion of an IAM group may represent a malicious attempt to remove audit trails, disrupt operations, or hide adversary activity (for example after using the group briefly for privileged access). This can be an indicator of impact or cleanup in an attack lifecycle.

Detection logic

event.dataset: aws.cloudtrail and 
    event.provider: iam.amazonaws.com and 
    event.action: DeleteGroup and 
    event.outcome: success