QUESTION

Why did the PantherDeploymentRole make the following API call?

Sensitive AWS API call DeleteRule

ANSWER

This is expected behavior during Panther platform upgrades. The deleted rules are ­AWS EventBridge rules, which power different parts of Panther as a means to monitor for when certain things happen or to control actions that need to happen at certain times. As part of our infrastructure clean-up and normal upgrades, we may remove old AWS EventBridge rules that are no longer in use.

These deletions are not Panther/customer-defined rules. 

If you’re interested in more details, you can view the requestParameters field in the logs that matched the rule to see the name of the rule that was deleted.