Detectionhighstable

AWS SecurityHub Findings Evasion

Detects the modification of the findings on SecurityHub.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sittikorn SCreated Mon Jun 28a607e1fe-74bf-4440-a3ec-b059b9103157cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection:
        eventSource: securityhub.amazonaws.com
        eventName:
            - 'BatchUpdateFindings'
            - 'DeleteInsight'
            - 'UpdateFindings'
            - 'UpdateInsight'
    condition: selection

False Positives

System or Network administrator behaviors

DEV, UAT, SAT environment. You should apply this rule with PROD environment only.

References

Resolving title…

docs.aws.amazon.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1562 · Impair Defenses

Rule Metadata

Rule ID

a607e1fe-74bf-4440-a3ec-b059b9103157

Status

stable

Level

high

Type

Detection

Created

Mon Jun 28

Author

Sittikorn S

Path

rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml

Raw Tags

attack.defense-evasionattack.t1562

View on GitHub