AWS SecurityHub Findings Evasion

Apr 28, 2026 · attack.defense-impairment attack.t1685 ·

Detects the modification of the findings on SecurityHub.

Sigma rule (View on GitHub)

 1title: AWS SecurityHub Findings Evasion
 2id: a607e1fe-74bf-4440-a3ec-b059b9103157
 3status: stable
 4description: Detects the modification of the findings on SecurityHub.
 5references:
 6    - https://docs.aws.amazon.com/cli/latest/reference/securityhub/
 7author: Sittikorn S
 8date: 2021-06-28
 9tags:
10    - attack.defense-impairment
11    - attack.t1685
12logsource:
13    product: aws
14    service: cloudtrail
15detection:
16    selection:
17        eventSource: securityhub.amazonaws.com
18        eventName:
19            - 'BatchUpdateFindings'
20            - 'DeleteInsight'
21            - 'UpdateFindings'
22            - 'UpdateInsight'
23    condition: selection
24falsepositives:
25    - System or Network administrator behaviors
26    - DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
27level: high

References

securityhub — AWS CLI 2.34.45 Command Reference

Learn about the AWS CLI 2.34.45 securityhub commands.

Read More

AWS SecurityHub Findings Evasion

Sigma rule (View on GitHub)

References

securityhub — AWS CLI 2.34.45 Command Reference

Related rules