AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
Sigma rule (View on GitHub)
1title: AWS SecurityHub Findings Evasion
2id: a607e1fe-74bf-4440-a3ec-b059b9103157
3status: stable
4description: Detects the modification of the findings on SecurityHub.
5references:
6 - https://docs.aws.amazon.com/cli/latest/reference/securityhub/
7author: Sittikorn S
8date: 2021-06-28
9tags:
10 - attack.defense-evasion
11 - attack.t1562
12logsource:
13 product: aws
14 service: cloudtrail
15detection:
16 selection:
17 eventSource: securityhub.amazonaws.com
18 eventName:
19 - 'BatchUpdateFindings'
20 - 'DeleteInsight'
21 - 'UpdateFindings'
22 - 'UpdateInsight'
23 condition: selection
24fields:
25 - sourceIPAddress
26 - userIdentity.arn
27falsepositives:
28 - System or Network administrator behaviors
29 - DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
30level: high
References
-
Description Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry sta...
Read More
Related rules
- Azure Kubernetes Events Deleted
- ETW Logging Disabled For SCM
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled In .NET Processes - Registry
- ETW Logging Disabled In .NET Processes - Sysmon Registry