Nasreddine Bencherchali
7364ce00b1
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules fix: Google Workspace Application Removed - Update logsource product field to `gcp` fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp` fix: Google Workspace MFA Disabled - Update logsource product field to `gcp` fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp` fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp` fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
31 lines
850 B
YAML
31 lines
850 B
YAML
title: AWS SecurityHub Findings Evasion
|
|
id: a607e1fe-74bf-4440-a3ec-b059b9103157
|
|
status: stable
|
|
description: Detects the modification of the findings on SecurityHub.
|
|
references:
|
|
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
|
|
author: Sittikorn S
|
|
date: 2021/06/28
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1562
|
|
logsource:
|
|
product: aws
|
|
service: cloudtrail
|
|
detection:
|
|
selection:
|
|
eventSource: securityhub.amazonaws.com
|
|
eventName:
|
|
- 'BatchUpdateFindings'
|
|
- 'DeleteInsight'
|
|
- 'UpdateFindings'
|
|
- 'UpdateInsight'
|
|
condition: selection
|
|
fields:
|
|
- sourceIPAddress
|
|
- userIdentity.arn
|
|
falsepositives:
|
|
- System or Network administrator behaviors
|
|
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
|
|
level: high
|