query log configuration deletions may occur during legitimate networking changes, logging pipeline updates, or infrastructure redesign. confirm the activity aligns with expected operations before taking action.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS Route 53 Resolver Query Log Configuration Deleted

source: elastic
technicques:
- T1562

Description

Identifies the deletion of an Amazon Route 53 Resolver Query Log Configuration. Resolver query logs provide critical visibility into DNS activity across VPCs, including lookups made by EC2 instances, containers, Lambda functions, and other AWS resources. Deleting a query log configuration immediately stops DNS query and response logging for the associated VPC. Adversaries may delete these configurations to evade detection, suppress forensic evidence, or degrade security monitoring capabilities.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: route53resolver.amazonaws.com
    and event.action: DeleteResolverQueryLogConfig 
    and event.outcome: success