Disable CloudWatch Alarms¶
An adversary may attempt to disable CloudWatch alerts
|alarmname||str||name of alarm which will be disabled||alarm_name|
aws cloudwatch disable-alarm-actions --alarm-namesalarm_name
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:DisableAlarmActions AND eventSource:*.events.amazonaws.com
--- title: Disable CloudWatch Alarms id: test123 status: experimental author: Anela Tiro date: 2023-07-01 description: An adversary may attempt to disable CloudWatch alerts logsource: service: cloudtrail detection: selection_source: - eventSource: "*.events.amazonaws.com" events: - eventName: "DisableAlarmActions" condition: selection_source AND events level: low tags: - attack.T1089