AWS Detective Graph deleted

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user deletes an Amazon Detective behavior graph.

Strategy

This rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:

Triage and response

  1. Determine if the behavior graph should have been deleted.
  2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.

Changelog

  • 1 April 2022 - Updated rule and signal message.
  • 18 November 2022 - Updated severity.
PREVIEWING: safchain/fix-custom-agent