trail deletions may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml>elastic
technicques: T1562

Techniques

Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.

event.dataset:aws.cloudtrail
    and event.provider:cloudtrail.amazonaws.com
    and event.action:DeleteTrail
    and event.outcome:success