T1485.001 Lifecycle-Triggered Deletion Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ShortExpiryThresholdDays = 7;
let SuspiciousLifecycleOperations = dynamic(["PutBucketLifecycle", "PutBucketLifecycleConfiguration"]);
// AWS S3 lifecycle policy abuse via AWSCloudTrail
let AWSLifecycleChanges = AWSCloudTrail
| where TimeGenerated > ago(24h)
| where EventSource == "s3.amazonaws.com"
| where EventName in (SuspiciousLifecycleOperations)
| extend RawParams = tostring(RequestParameters)
| extend BucketName = tostring(parse_json(RequestParameters)["bucketName"])
| extend ExpirationDaysStr = extract(@'"Days"\s*:\s*(\d+)', 1, RawParams)
| extend ExpirationDays = toint(ExpirationDaysStr)
| extend HasDateExpiration = RawParams contains "\"Date\""
| extend FilterPrefix = extract(@'"Prefix"\s*:\s*"([^"]*)"', 1, RawParams)
| extend RuleStatus = extract(@'"Status"\s*:\s*"([^"]*)"', 1, RawParams)
| extend IsEnabled = isempty(RuleStatus) or RuleStatus =~ "Enabled"
| extend IsShortExpiry = IsEnabled and (ExpirationDays > 0 and ExpirationDays <= ShortExpiryThresholdDays)
| extend IsWildcardPrefix = isempty(FilterPrefix)
| extend CloudProvider = "AWS"
| extend Actor = UserIdentityArn
| extend SourceIP = SourceIpAddress
| extend ResourceName = BucketName
| extend RiskScore = case(
    IsShortExpiry and IsWildcardPrefix, 4,
    IsShortExpiry, 3,
    IsWildcardPrefix and IsEnabled, 2,
    1)
| where IsEnabled
| project TimeGenerated, CloudProvider, Actor, ResourceName, ExpirationDays,
          HasDateExpiration, FilterPrefix, RuleStatus, IsShortExpiry, IsWildcardPrefix,
          RiskScore, SourceIP, UserAgent, AWSRegion, EventName, ErrorCode, ErrorMessage;
// Azure Blob Storage lifecycle policy changes via AzureActivity
let AzureLifecycleChanges = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue =~ "microsoft.storage/storageaccounts/managementpolicies/write"
| where ActivityStatusValue =~ "Success"
| extend RawProps = tostring(Properties)
| extend ExpirationDaysStr = extract(@'"daysAfterModificationGreaterThan"\s*:\s*(\d+)', 1, RawProps)
| extend ExpirationDays = toint(ExpirationDaysStr)
| extend IsShortExpiry = ExpirationDays > 0 and ExpirationDays <= ShortExpiryThresholdDays
| extend CloudProvider = "Azure"
| extend Actor = Caller
| extend SourceIP = CallerIpAddress
| extend ResourceName = tostring(split(ResourceId, "/")[8])
| extend IsWildcardPrefix = true
| extend RiskScore = iff(IsShortExpiry, 3, 1)
| extend AWSRegion = ""
| extend EventName = OperationNameValue
| extend ErrorCode = ""
| extend ErrorMessage = ""
| extend RuleStatus = "Enabled"
| extend FilterPrefix = ""
| extend HasDateExpiration = false
| project TimeGenerated, CloudProvider, Actor, ResourceName, ExpirationDays,
          HasDateExpiration, FilterPrefix, RuleStatus, IsShortExpiry, IsWildcardPrefix,
          RiskScore, SourceIP, UserAgent, AWSRegion, EventName, ErrorCode, ErrorMessage;
union AWSLifecycleChanges, AzureLifecycleChanges
| sort by RiskScore desc, TimeGenerated desc

critical severity high confidence

Data Sources

Cloud Storage: Cloud Storage Modification AWS CloudTrail: S3 API Calls Azure Activity Log: Storage Account Operations

Required Tables

AWSCloudTrail AzureActivity

False Positives

Legitimate data lifecycle management policies for cost optimization — organizations regularly configure long-expiry lifecycle rules to tier old objects to cheaper storage classes or delete them after compliance retention periods
Developer or DevOps engineers testing lifecycle configurations in non-production accounts or sandbox S3 buckets
Compliance-driven data destruction policies that legitimately set short retention windows for sensitive PII or regulated data to meet legal deletion requirements
Data pipeline cleanup rules that intentionally expire temporary processing artifacts or staging data after a short window
Terraform, CDK, or CloudFormation infrastructure-as-code deployments that apply lifecycle policies as part of automated stack provisioning or updates

Splunk

spl

index=aws sourcetype=aws:cloudtrail
  (eventName=PutBucketLifecycle OR eventName=PutBucketLifecycleConfiguration)
| spath input=requestParameters output=bucketName path=bucketName
| eval rawParams=requestParameters
| rex field=rawParams "\"Days\"\s*:\s*(?P<expiration_days>\d+)"
| rex field=rawParams "\"Prefix\"\s*:\s*\"(?P<filter_prefix>[^\"]*)\""
| rex field=rawParams "\"Status\"\s*:\s*\"(?P<rule_status>[^\"]*)\""
| eval expiration_days=if(isnotnull(expiration_days), tonumber(expiration_days), 9999)
| eval is_short_expiry=if(expiration_days <= 7 AND expiration_days > 0, 1, 0)
| eval is_wildcard=if(isnull(filter_prefix) OR filter_prefix="", 1, 0)
| eval is_enabled=if(isnull(rule_status) OR lower(rule_status)="enabled", 1, 0)
| eval risk_score=case(
    is_enabled=1 AND is_short_expiry=1 AND is_wildcard=1, "Critical",
    is_enabled=1 AND is_short_expiry=1, "High",
    is_enabled=1 AND is_wildcard=1, "Medium",
    true(), "Low")
| eval actor=coalesce('userIdentity.arn', 'userIdentity.userName', 'userIdentity.sessionContext.sessionIssuer.arn', "Unknown")
| eval error_code=if(isnotnull(errorCode), errorCode, "")
| where is_enabled=1
| table _time, actor, bucketName, expiration_days, filter_prefix, rule_status,
        is_short_expiry, is_wildcard, risk_score, sourceIPAddress, userAgent,
        awsRegion, eventName, error_code
| sort - _time

critical severity high confidence

Data Sources

Cloud Storage: Cloud Storage Modification AWS CloudTrail: S3 API Calls Splunk Add-on for AWS

Required Sourcetypes

aws:cloudtrail

False Positives

Legitimate data lifecycle management policies for cost optimization — organizations regularly configure long-expiry lifecycle rules to tier old objects to Glacier or delete them after compliance retention periods
Developer or DevOps engineers testing lifecycle configurations in non-production accounts or sandbox S3 buckets with intentionally short lifespans
Compliance-driven data destruction policies that legitimately set short retention windows for sensitive PII under legal deletion requirements
Infrastructure-as-code (Terraform, CDK, CloudFormation) automated deployments applying lifecycle configurations during stack creation or update
Data engineering pipelines that configure short-lived lifecycle rules to clean up temporary processing objects in staging buckets

Elastic Security (EQL)

eql

any where (
  (
    event.dataset == "aws.cloudtrail" and
    event.action in ("PutBucketLifecycle", "PutBucketLifecycleConfiguration") and
    aws.cloudtrail.event_source == "s3.amazonaws.com" and
    not exists(aws.cloudtrail.error_code)
  ) or
  (
    event.dataset == "azure.activitylogs" and
    azure.activitylogs.operation_name.value like~ "*managementpolicies/write*" and
    event.outcome == "success"
  )
)

high severity medium confidence

Data Sources

AWS CloudTrail via Elastic AWS integration (logs-aws.cloudtrail-*) Azure Activity Logs via Elastic Azure integration (logs-azure.activitylogs-*)

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-*

False Positives

Legitimate storage cost optimization: platform or FinOps teams routinely set or update S3 lifecycle policies to move objects to cheaper storage tiers (Glacier, Intelligent-Tiering) or expire temporary/scratch data after expected retention windows, generating identical API calls.
Infrastructure-as-code deployments: Terraform, CloudFormation, or Pulumi pipelines applying storage module configurations will call PutBucketLifecycleConfiguration on every plan apply, including in dev and staging accounts, often in bulk across many buckets.
Azure Policy and Blueprints remediation sweeps: Azure governance automation enforcing lifecycle management policies across subscriptions will write managementpolicies on all non-compliant storage accounts during remediation, producing many simultaneous benign hits.
Automated GDPR or HIPAA data retention workflows: compliance-driven scripts that apply or update short-expiry lifecycle rules on buckets holding regulated PII after the legal retention period has elapsed are expected to trigger this detection.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  username AS actor,
  sourceip AS source_ip,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  payload
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN (
    'Amazon AWS CloudTrail',
    'Microsoft Azure Event Hubs',
    'Microsoft Azure Active Directory Audit'
  )
  AND (
    payload LIKE '%PutBucketLifecycle%'
    OR payload LIKE '%PutBucketLifecycleConfiguration%'
    OR (
      payload LIKE '%managementpolicies%'
      AND payload LIKE '%write%'
      AND (
        payload LIKE '%Succeeded%'
        OR payload LIKE '%Success%'
      )
    )
  )
  AND starttime > DATEADD(HOUR, -24, NOW())
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar Amazon AWS CloudTrail DSM IBM QRadar Microsoft Azure Event Hubs DSM IBM QRadar Microsoft Azure Active Directory Audit DSM

Required Tables

events

False Positives

Authorized CI/CD infrastructure pipelines: Terraform, Ansible, or CloudFormation deployments applying S3 lifecycle configurations from version-controlled templates will call PutBucketLifecycleConfiguration on every apply run, including automated runs triggered by merge events.
Cloud storage management platforms: third-party tools such as Commvault, NetApp Cloud Manager, or AWS Storage Lens that automate lifecycle policies across accounts will generate these events without malicious intent, particularly during scheduled bulk-policy enforcement runs.
AWS Backup and Data Lifecycle Manager: AWS-native archival and backup services internally invoke lifecycle APIs as part of normal object archival and backup policy enforcement workflows.
Log storage bucket maintenance: security or operations teams applying or adjusting lifecycle expiry rules on high-volume log buckets (VPC Flow Logs, ALB access logs, CloudTrail) to control storage costs are expected to trigger this query.

Sumo Logic CSE

sql

(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/activitylogs)
| json field=_raw "eventName" as event_name nodrop
| json field=_raw "requestParameters.bucketName" as bucket_name nodrop
| json field=_raw "operationName" as operation_name nodrop
| json field=_raw "status" as activity_status nodrop
| json field=_raw "userIdentity.arn" as actor_arn nodrop
| json field=_raw "sourceIPAddress" as src_ip nodrop
| json field=_raw "awsRegion" as aws_region nodrop
| where (event_name in ("PutBucketLifecycle", "PutBucketLifecycleConfiguration"))
  OR (operation_name matches "*managementpolicies/write*"
    AND (toLowerCase(activity_status) = "succeeded" OR toLowerCase(activity_status) = "success"))
| parse regex field=_raw "\"Days\"\s*:\s*(?P<expiration_days>\d+)" nodrop
| parse regex field=_raw "\"Prefix\"\s*:\s*\"(?P<filter_prefix>[^\"]*)\"" nodrop
| parse regex field=_raw "\"Status\"\s*:\s*\"(?P<rule_status>[^\"]*)\"" nodrop
| num(expiration_days) as expiration_days
| if(isNull(expiration_days), 9999, expiration_days) as expiration_days
| if(expiration_days <= 7 AND expiration_days > 0, "true", "false") as is_short_expiry
| if(isNull(filter_prefix) OR filter_prefix = "", "true", "false") as is_wildcard
| if(isNull(rule_status) OR toLowerCase(rule_status) = "enabled", "true", "false") as is_enabled
| if(is_enabled = "true" AND is_short_expiry = "true" AND is_wildcard = "true", "Critical",
    if(is_enabled = "true" AND is_short_expiry = "true", "High",
    if(is_enabled = "true" AND is_wildcard = "true", "Medium", "Low"))) as risk_score
| where is_enabled = "true"
| fields _messageTime, event_name, operation_name, bucket_name, actor_arn, src_ip, aws_region, expiration_days, filter_prefix, rule_status, is_short_expiry, is_wildcard, risk_score
| sort by _messageTime desc

high severity medium confidence

Data Sources

AWS CloudTrail logs via Sumo Logic AWS CloudTrail HTTP or S3 source Azure Activity Logs via Sumo Logic Azure Event Hubs source

Required Tables

_sourceCategory=aws/cloudtrail _sourceCategory=azure/activitylogs

False Positives

Routine lifecycle policy management by cloud administrators: CloudOps teams applying expiry rules for temporary upload buckets, session data, or ephemeral build artifacts will generate high-risk hits when the configured expiry is <= 7 days and no prefix filter is set.
CI/CD pipeline deployments applying IaC modules: Terraform apply runs touching S3 bucket resources with lifecycle blocks will call PutBucketLifecycleConfiguration on each deployment, often across multiple buckets simultaneously in the same pipeline run.
Security or compliance automation: scripts enforcing data minimization policies on PII or secrets-rotation buckets by applying short lifecycle rules once the retention window expires will produce Critical-risk hits that are intentional and authorized.
Multi-tenant SaaS platform maintenance: platforms hosting data on behalf of multiple customers that bulk-apply per-customer lifecycle configurations during onboarding or offboarding workflows will generate bursts of these events.

Google Chronicle / SecOps

yaral

rule t1485_001_lifecycle_triggered_deletion {
  meta:
    author = "Detection Engineering"
    description = "Detects AWS S3 PutBucketLifecycle/PutBucketLifecycleConfiguration API calls and Azure Blob Storage managementpolicies/write operations that may enable lifecycle-triggered mass data destruction (T1485.001 - Data Destruction: Lifecycle-Triggered Deletion)"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1485.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1485/001/"
    created = "2026-04-13"

  events:
    (
      (
        $e.metadata.vendor_name = "AMAZON" and
        $e.metadata.product_name = "AWS CloudTrail" and
        (
          $e.metadata.product_event_type = "PutBucketLifecycle" or
          $e.metadata.product_event_type = "PutBucketLifecycleConfiguration"
        ) and
        $e.target.resource.resource_type = "STORAGE_BUCKET"
      ) or
      (
        $e.metadata.vendor_name = "MICROSOFT" and
        $e.metadata.product_name = "Azure Activity" and
        re.regex($e.metadata.product_event_type, `(?i)managementpolicies.*write`) and
        $e.security_result.action = "ALLOW"
      )
    )
    $e.principal.user.userid = $actor

  condition:
    $e
}

high severity medium confidence

Data Sources

AWS CloudTrail Chronicle ingestion feed normalized to UDM Azure Activity Logs Chronicle ingestion feed normalized to UDM

Required Tables

UDM events — metadata.vendor_name AMAZON and MICROSOFT

False Positives

Authorized platform engineering lifecycle changes: teams managing S3 storage classes and expiry configurations as part of FinOps cost reduction programs routinely invoke PutBucketLifecycleConfiguration in bulk across all accounts in an AWS Organization.
Azure Policy remediation tasks: Azure Policy assignments enforcing lifecycle management policies will write managementpolicies on all non-compliant storage accounts during remediation sweeps, generating many simultaneous ALLOW events from the policy service principal.
IaC pipeline application of Terraform storage modules: every Terraform apply that includes an aws_s3_bucket_lifecycle_configuration resource will invoke PutBucketLifecycleConfiguration regardless of whether the policy content changed, including no-op plan runs.
Data retention and archival automation services: AWS-native services (Backup, Data Lifecycle Manager) and third-party archival platforms (Veeam, Cohesity) invoke S3 lifecycle APIs as part of normal archival policy enforcement workflows.

CrowdStrike LogScale (CQL)

cql

// Targets AWS CloudTrail events ingested via CrowdStrike Falcon Horizon cloud connector or direct CloudTrail-to-LogScale ingest
#kind=event
| eventSource = "s3.amazonaws.com"
| eventName in ["PutBucketLifecycle", "PutBucketLifecycleConfiguration"]
| regex("\"bucketName\"\s*:\s*\"(?P<bucket_name>[^\"]+)\"", field=requestParameters)
| regex("\"Days\"\s*:\s*(?P<expiration_days_str>\d+)", field=requestParameters, flags="i")
| regex("\"Prefix\"\s*:\s*\"(?P<filter_prefix>[^\"]*)\"", field=requestParameters, flags="i")
| regex("\"Status\"\s*:\s*\"(?P<rule_status>[^\"]+)\"", field=requestParameters, flags="i")
| filter_prefix := coalesce(filter_prefix, "")
| rule_status := coalesce(rule_status, "")
| expiration_days := parseFloat(expiration_days_str, default=9999)
| is_short_expiry := if(expiration_days <= 7 and expiration_days > 0, then="true", else="false")
| is_wildcard := if(isEmpty(filter_prefix), then="true", else="false")
| is_enabled := if(isEmpty(rule_status) or lower(rule_status) = "enabled", then="true", else="false")
| risk_score := case {
    is_enabled = "true" and is_short_expiry = "true" and is_wildcard = "true" => "Critical";
    is_enabled = "true" and is_short_expiry = "true" => "High";
    is_enabled = "true" and is_wildcard = "true" => "Medium";
    * => "Low"
  }
| where is_enabled = "true"
| actor := coalesce(userIdentityArn, userIdentityUserName, "Unknown")
| table([@timestamp, actor, bucket_name, expiration_days, filter_prefix, rule_status, is_short_expiry, is_wildcard, risk_score, sourceIPAddress, userAgent, awsRegion, eventName], limit=1000)
| sort(@timestamp, reverse=true)

high severity medium confidence

Data Sources

AWS CloudTrail via CrowdStrike Falcon Horizon cloud connector AWS CloudTrail direct ingest to LogScale via S3 bucket source or Kinesis Data Firehose

Required Tables

CloudTrail events with eventSource=s3.amazonaws.com in LogScale repository

False Positives

Automated storage lifecycle management by CloudOps teams: routine S3 lifecycle configuration updates for object tiering, archival to Glacier, or expiry of transient data such as build artifacts and temp uploads will generate identical high-risk hits when expiry is <= 7 days and no prefix is set.
CI/CD Terraform apply runs: every Terraform apply touching an aws_s3_bucket_lifecycle_configuration resource will call PutBucketLifecycleConfiguration, including in lower environments, and often in parallel across multiple buckets in the same pipeline execution.
AWS-native archival and backup services: AWS Backup, S3 Intelligent-Tiering automation, and third-party CSPM remediation tooling (Prisma Cloud, Wiz, Orca Security) may invoke lifecycle APIs as part of posture correction or backup policy enforcement workflows.
Log rotation and retention enforcement: scripts managing CloudTrail, ALB access log, VPC Flow Log, or S3 server access log buckets that programmatically apply or refresh expiration rules to control storage costs are an expected and high-volume source of these events.

Lifecycle-Triggered Deletion

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Impact

Popular Detections