AWS GuardDuty threat intel set deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.

Strategy

This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:

Triage and response

  1. Determine if user: {{@userIdentity.arn}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Replace ThreatIntelSets deleted by the user with the aws-cli command create-threat-intel-set or use the AWS Console.
  1. If the API call was made by the user:
  • Determine if the user should be performing this API call and if it was an authorized change.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.
PREVIEWING: drodriguezhdez/add_public_docs_log_summarization