<  Back to rules search

AWS Detective Graph deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user deletes an Amazon Detective behavior graph.

Strategy

This rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:

Triage and response

  1. Determine if the behavior graph should have been deleted.
  2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.
  3. If the user did not make the API call:
    • Rotate the credentials.
    • Investigate if the same credentials made other unauthorized API calls.

Changelog

  • 1 April 2022 - Updated rule and signal message.
  • 18 November 2022 - Updated severity.