rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml

title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
references:
    - https://docs.aws.amazon.com/cli/latest/reference/securityhub/
author: Sittikorn S
date: 2021-06-28
tags:
    - attack.defense-evasion
    - attack.t1562
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: securityhub.amazonaws.com
        eventName:
            - 'BatchUpdateFindings'
            - 'DeleteInsight'
            - 'UpdateFindings'
            - 'UpdateInsight'
    condition: selection
fields:
    - sourceIPAddress
    - userIdentity.arn
falsepositives:
    - System or Network administrator behaviors
    - DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high
Update and rename aws_securityhub_disable_finding.yml to aws_securityhub_finding_evasion.yml 2021-06-28 15:45:31 +07:00			`title: AWS SecurityHub Findings Evasion`
Create aws_securityhub_disable_finding.yml 2021-06-28 15:42:34 +07:00			`id: a607e1fe-74bf-4440-a3ec-b059b9103157`
			`status: stable`
Update aws_securityhub_finding_evasion.yml 2021-06-29 12:49:32 +02:00			`description: Detects the modification of the findings on SecurityHub.`
Update aws_securityhub_finding_evasion.yml 2021-06-28 15:52:42 +07:00			`references:`
Create aws_securityhub_disable_finding.yml 2021-06-28 15:42:34 +07:00			`- https://docs.aws.amazon.com/cli/latest/reference/securityhub/`
$frack113$ Order yaml field 2022-10-25 07:34:10 +02:00			`author: Sittikorn S`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2021-06-28`
Create aws_securityhub_disable_finding.yml 2021-06-28 15:42:34 +07:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
Update aws_securityhub_finding_evasion.yml 2021-06-28 15:57:21 +07:00			`- attack.t1562`
Create aws_securityhub_disable_finding.yml 2021-06-28 15:42:34 +07:00			`logsource:`
$frack113$ Add product aws 2021-11-14 09:56:59 +01:00			`product: aws`
Create aws_securityhub_disable_finding.yml 2021-06-28 15:42:34 +07:00			`service: cloudtrail`
			`detection:`
			`selection:`
			`eventSource: securityhub.amazonaws.com`
			`eventName:`
$frack113$ Order yaml field 2022-10-25 07:34:10 +02:00			`- 'BatchUpdateFindings'`
			`- 'DeleteInsight'`
			`- 'UpdateFindings'`
			`- 'UpdateInsight'`
Create aws_securityhub_disable_finding.yml 2021-06-28 15:42:34 +07:00			`condition: selection`
			`fields:`
			`- sourceIPAddress`
			`- userIdentity.arn`
			`falsepositives:`
			`- System or Network administrator behaviors`
			`- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.`
			`level: high`