From d62014bf76e5ad728382071fb093d8799f4c73a1 Mon Sep 17 00:00:00 2001
From: bryans3c <bryan.porras@elastic.co>
Date: Fri, 19 Jun 2026 09:45:20 +0200
Subject: [PATCH 1/4] [New Rule] AWS Backup Plan or Selection Deleted

---
 ...pact_backup_plan_or_selection_deleted.toml | 115 ++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml

diff --git a/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
new file mode 100644
index 00000000000..317bf9c6eb8
--- /dev/null
+++ b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
@@ -0,0 +1,115 @@
+[metadata]
+creation_date = "2026/06/19"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2026/06/19"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies deletion of an AWS Backup plan or backup selection via DeleteBackupPlan or DeleteBackupSelection. A backup
+plan defines the schedule and rules that automatically create recovery points, and a backup selection defines which
+resources the plan protects. Deleting either silently stops future backups for the affected resources, degrading
+recovery capability over time. Adversaries may delete plans or selections to disable backups ahead of a destructive or
+ransomware operation. These changes are infrequent and should align with approved maintenance.
+"""
+false_positives = [
+    """
+    Infrastructure-as-code and platform teams routinely create and delete backup plans and selections during
+    provisioning and refactoring. Verify the principal in "aws.cloudtrail.user_identity.arn" and confirm the change
+    aligns with an approved deployment. Known automation roles can be excluded after validation.
+    """,
+]
+from = "now-6m"
+index = ["logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS Backup Plan or Selection Deleted"
+note = """## Triage and analysis
+
+### Investigating AWS Backup Plan or Selection Deleted
+
+Backup plans and selections drive AWS Backup's automated protection. "DeleteBackupPlan" removes a plan (and its schedules and rules), and "DeleteBackupSelection" removes the resource assignment from a plan. Either change stops new recovery points from being created for the affected resources, so existing backups age out and recovery silently degrades. Adversaries may disable backups this way before destroying or encrypting data.
+
+### Possible investigation steps
+
+- Identify the actor in "aws.cloudtrail.user_identity.arn" and "aws.cloudtrail.user_identity.type", and review "source.ip" and "user_agent.original" for an unexpected origin or tool.
+- Identify the affected plan or selection in "aws.cloudtrail.request_parameters" and which resources lose protection.
+- Determine whether a replacement plan/selection was created shortly after, or whether protection was simply removed.
+- Correlate with adjacent destructive or evasion activity by the same principal (recovery point deletion, vault changes, resource deletions).
+
+### False positive analysis
+
+- IaC churn legitimately creates and deletes plans and selections. Confirm the change is expected and exclude known automation roles on "aws.cloudtrail.user_identity.arn" after validation.
+
+### Response and remediation
+
+- If unauthorized, restore the backup plan and selections to resume protection, and verify no recovery points were deleted while protection was disabled.
+- Rotate or restrict credentials for the principal if compromise is suspected, and restrict "backup:DeleteBackupPlan" and "backup:DeleteBackupSelection" to trusted administrators.
+
+### Additional information
+
+- [DeleteBackupPlan API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupPlan.html)
+- [DeleteBackupSelection API](https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupSelection.html)
+"""
+references = [
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupPlan.html",
+    "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupSelection.html",
+]
+risk_score = 47
+rule_id = "5e38a3dc-0b39-46c7-8e6f-015564d0c5cc"
+setup = """The AWS Fluentd or AWS Beats integration, CloudTrail logging, and a configured CloudTrail trail are required for this rule. See the AWS integration documentation: https://docs.elastic.co/integrations/aws/cloudtrail"""
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS Backup",
+    "Use Case: Threat Detection",
+    "Tactic: Impact",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+data_stream.dataset: "aws.cloudtrail"
+    and event.provider: "backup.amazonaws.com"
+    and event.action: ("DeleteBackupPlan" or "DeleteBackupSelection")
+    and event.outcome: "success"
+    and not aws.cloudtrail.user_identity.type: "AWSService"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1490"
+name = "Inhibit System Recovery"
+reference = "https://attack.mitre.org/techniques/T1490/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "source.as.number",
+    "source.as.organization.name",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+]
+

From 3116d311d812e20082cab332e1d6f1796b357f8d Mon Sep 17 00:00:00 2001
From: Bryan Porras <bryan.porras@elastic.co>
Date: Fri, 19 Jun 2026 15:15:00 +0200
Subject: [PATCH 2/4] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .../aws/impact_backup_plan_or_selection_deleted.toml             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
index 317bf9c6eb8..8a67a8e44e0 100644
--- a/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
+++ b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
@@ -64,6 +64,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
+    "Data Source: AWS Cloudtrail",
     "Data Source: AWS Backup",
     "Use Case: Threat Detection",
     "Tactic: Impact",

From 3e9130f6bf4f6b85ca937c95e944e508c7538271 Mon Sep 17 00:00:00 2001
From: Bryan Porras <bryan.porras@elastic.co>
Date: Mon, 22 Jun 2026 09:59:46 +0200
Subject: [PATCH 3/4] Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .../aws/impact_backup_plan_or_selection_deleted.toml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
index 8a67a8e44e0..73b74a1dbb5 100644
--- a/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
+++ b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
@@ -64,7 +64,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
-    "Data Source: AWS Cloudtrail",
+    "Data Source: AWS CloudTrail",
     "Data Source: AWS Backup",
     "Use Case: Threat Detection",
     "Tactic: Impact",

From 76066d6db15a989d440ffd6aa587904b70705c41 Mon Sep 17 00:00:00 2001
From: Bryan Porras <bryan.porras@elastic.co>
Date: Mon, 22 Jun 2026 16:54:35 +0200
Subject: [PATCH 4/4] Update impact_backup_plan_or_selection_deleted.toml

---
 .../aws/impact_backup_plan_or_selection_deleted.toml            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
index 73b74a1dbb5..2bf2e314d45 100644
--- a/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
+++ b/rules/integrations/aws/impact_backup_plan_or_selection_deleted.toml
@@ -58,7 +58,7 @@ references = [
 ]
 risk_score = 47
 rule_id = "5e38a3dc-0b39-46c7-8e6f-015564d0c5cc"
-setup = """The AWS Fluentd or AWS Beats integration, CloudTrail logging, and a configured CloudTrail trail are required for this rule. See the AWS integration documentation: https://docs.elastic.co/integrations/aws/cloudtrail"""
+setup = """This rule requires AWS CloudTrail management events for AWS Backup and ingestion via the Elastic AWS CloudTrail integration. See https://docs.elastic.co/integrations/aws/cloudtrail."""
 severity = "medium"
 tags = [
     "Domain: Cloud",