title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: experimental
description: Detects AWS Config Service disabling
author: vitaliy0x1
date: 2020/01/21
logsource:
    service: cloudtrail
detection:
    selection_source:
        - eventSource: config.amazonaws.com
    events:
        - eventName:
            - DeleteDeliveryChannel
            - StopConfigurationRecorder
    condition: selection_source AND events
falsepositives:
    - Valid change in AWS Config Service
level: high
tags:
    - attack.defense_evasion
    - attack.t1562.001
    - attack.t1089  # an old one