security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
3da07164ce0d651bf72691bac1cfcafbf20249de
blue-team-tools/rules/cloud/aws/aws_securityhub_finding_evasion.yml
T

31 lines
850 B
YAML
Raw Normal View History

Update and rename aws_securityhub_disable_finding.yml to aws_securityhub_finding_evasion.yml
2021-06-28 15:45:31 +07:00
title: AWS SecurityHub Findings Evasion
Create aws_securityhub_disable_finding.yml
2021-06-28 15:42:34 +07:00
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
Update aws_securityhub_finding_evasion.yml
2021-06-29 12:49:32 +02:00
description: Detects the modification of the findings on SecurityHub.
Update aws_securityhub_finding_evasion.yml
2021-06-28 15:52:42 +07:00
references:
Create aws_securityhub_disable_finding.yml
2021-06-28 15:42:34 +07:00
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
Order yaml field
2022-10-25 07:34:10 +02:00
author: Sittikorn S
date: 2021/06/28
Create aws_securityhub_disable_finding.yml
2021-06-28 15:42:34 +07:00
tags:
Update aws_securityhub_finding_evasion.yml
2021-06-28 16:07:54 +07:00
- attack.defense_evasion
Update aws_securityhub_finding_evasion.yml
2021-06-28 15:57:21 +07:00
- attack.t1562
Create aws_securityhub_disable_finding.yml
2021-06-28 15:42:34 +07:00
logsource:
Add product aws
2021-11-14 09:56:59 +01:00
product: aws
Create aws_securityhub_disable_finding.yml
2021-06-28 15:42:34 +07:00
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
Order yaml field
2022-10-25 07:34:10 +02:00
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
Create aws_securityhub_disable_finding.yml
2021-06-28 15:42:34 +07:00
condition: selection
fields:
- sourceIPAddress
- userIdentity.arn
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high
Reference in New Issue Copy Permalink