<  Back to rules search

AWS Detective Graph deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user deletes an Amazon Detective behavior graph.

Strategy

This rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:

Triage and response

  1. Determine if the behavior graph should have been deleted.
  2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.

Changelog

  • 1 April 2022 - Updated rule and signal message.
  • 18 November 2022 - Updated severity.