DeleteEventDataStore
Event
Deletes a CloudTrail Lake event data store, destroying stored forensic evidence and audit logs.
Security Context
- CloudTrail Lake stores long-term audit data used for forensic investigations; deleting an event data store destroys historical evidence of attacker activity that cannot be recovered.
- This is a high-severity defense evasion action that indicates an adversary is actively attempting to cover their tracks after completing their objectives.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1562.008 — Disable or Modify Cloud Logs — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...