CloudWatch

Detection of adversaries attempting to impair or disable AWS security services by deleting resources across GuardDuty, AWS WAF, CloudWatch, Route 53, and CloudWatch Logs to evade detection and remove visibility.

Detection of deletion of critical AWS Security Services configurations like CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules to evade detection, potentially leading to data breaches and unauthorized access.

Detection of AWS CloudWatch log group deletions via CloudTrail logs, excluding console-based actions, indicating potential defense evasion by attackers attempting to hide their tracks.