AWS GuardDuty threat intel set deleted

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.

Strategy

This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:

Triage and response

  1. Determine if user: {{@userIdentity.arn}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Replace ThreatIntelSets deleted by the user with the aws-cli command create-threat-intel-set or use the AWS Console.
  1. If the API call was made by the user:
  • Determine if the user should be performing this API call and if it was an authorized change.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.