AWS Macie Evasion

Apr 21, 2023 · attack.defense_evasion attack.t1562.001 ·

Detects evade to Macie detection.

Sigma rule (View on GitHub)

 1title: AWS Macie Evasion
 2id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
 3status: unsupported
 4description: Detects evade to Macie detection.
 5references:
 6    - https://docs.aws.amazon.com/cli/latest/reference/macie/
 7author: Sittikorn S
 8date: 2021/07/06
 9modified: 2023/03/24
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventName:
19            - 'ArchiveFindings'
20            - 'CreateFindingsFilter'
21            - 'DeleteMember'
22            - 'DisassociateFromMasterAccount'
23            - 'DisassociateMember'
24            - 'DisableMacie'
25            - 'DisableOrganizationAdminAccount'
26            - 'UpdateFindingsFilter'
27            - 'UpdateMacieSession'
28            - 'UpdateMemberSession'
29            - 'UpdateClassificationJob'
30    timeframe: 10m
31    condition: selection | count() by sourceIPAddress > 5
32fields:
33    - sourceIPAddress
34    - userIdentity.arn
35falsepositives:
36    - System or Network administrator behaviors
37level: medium

References

https://docs.aws.amazon.com/cli/latest/reference/macie/

Read More

AWS Macie Evasion

Sigma rule (View on GitHub)

References

https://docs.aws.amazon.com/cli/latest/reference/macie/

Related rules