frack113
31 lines
842 B
YAML
31 lines
842 B
YAML
title: AWS SecurityHub Findings Evasion
|
|
id: a607e1fe-74bf-4440-a3ec-b059b9103157
|
|
status: stable
|
|
description: Detects the modification of the findings on SecurityHub.
|
|
author: Sittikorn S
|
|
date: 2021/06/28
|
|
references:
|
|
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1562
|
|
logsource:
|
|
product: aws
|
|
service: cloudtrail
|
|
detection:
|
|
selection:
|
|
eventSource: securityhub.amazonaws.com
|
|
eventName:
|
|
- 'BatchUpdateFindings'
|
|
- 'DeleteInsight'
|
|
- 'UpdateFindings'
|
|
- 'UpdateInsight'
|
|
condition: selection
|
|
fields:
|
|
- sourceIPAddress
|
|
- userIdentity.arn
|
|
falsepositives:
|
|
- System or Network administrator behaviors
|
|
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
|
|
level: high
|