AWS VPC Flow Log deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1070-indicator-removal

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when one or more AWS VPC Flow Log are deleted.

Strategy

Monitor CloudTrail and detect when AWS VPC FLow Logs are deleted by calling the DeleteFlowLogs API.

Triage and response

  1. Determine if the API call: {{@evt.name}} should have occurred.
  2. If the action was legitimate, consider allowing the invoking service: {{@userIdentity.invokedBy}}, user: {{@userIdentity.arn}}, or other appropriate attribute through a suppression list.
  3. If it shouldn’t have been made:
    • Contact the user: {{@userIdentity.arn}} and see if they made the API call.
  4. If the API call was not made by the user:
    • Rotate the user credentials.
    • Determine what other API calls were made with the old credentials that were not made by the user.