Classification:

attack

Tactic:

TA0040-impact

Technique:

T1485-data-destruction

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects anomalous deletion of AWS Lambda functions. This rule identifies when a user or role deletes an unusual number of Lambda functions within a short time period.

Strategy

This rule monitors AWS CloudTrail logs for DeleteFunction20150331 events. The detection uses anomaly detection to establish a baseline of normal deletion patterns over a 24-hour learning period and identifies deviations from this baseline. Lambda functions often contain critical business logic and their deletion can disrupt services or remove security controls.

Triage & Response

1. Review the @userIdentity.arn to identify the account or role that performed the deletions.
2. Check the @requestParameters.functionName to determine which specific Lambda functions were deleted.
3. Verify if the deleted functions were part of a planned decommissioning or migration effort.
4. Examine the CloudTrail logs for additional suspicious activity from the same identity around the time of the deletions.
5. Review AWS CloudWatch logs for the deleted functions to check for any unusual activity prior to deletion.
6. Check if the identity has the necessary permissions to perform these deletions through IAM policies.
7. Restore the deleted functions from backups if available and implement stricter access controls for Lambda function deletion.