Merge pull request #1581 from BlackB0lt/patch-5

Create aws_securityhub_disable_finding.yml

rules/cloud/aws_securityhub_finding_evasion.yml

@@ -0,0 +1,29 @@
+title: AWS SecurityHub Findings Evasion
+id: a607e1fe-74bf-4440-a3ec-b059b9103157
+status: stable
+description: Detects the modification of the findings on SecurityHub.
+author: Sittikorn S
+date: 2021/06/28
+references:
+    - https://docs.aws.amazon.com/cli/latest/reference/securityhub/
+tags:
+    - attack.defense_evasion
+    - attack.t1562
+logsource:
+    service: cloudtrail
+detection:
+    selection:
+        eventSource: securityhub.amazonaws.com
+        eventName:
+          - 'BatchUpdateFindings'
+          - 'DeleteInsight'
+          - 'UpdateFindings'
+          - 'UpdateInsight'
+    condition: selection
+fields:
+    - sourceIPAddress
+    - userIdentity.arn
+falsepositives:
+    - System or Network administrator behaviors
+    - DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
+level: high