AWS SES add verified identity followed by the deletion of the identity

문서 > Datadog 보안 > OOTB Rules > AWS SES add verified identity followed by the deletion of the identity

Classification:

attack

Tactic:

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when there is an attempt to add an email address to your Amazon SES account followed by the deletion of that address in a short time period.

Strategy

Monitor CloudTrail and detect when there is an attempt to add an email address to your Amazon SES account followed by the deletion of that address in a short time period. Attackers target the AWS SES service generally for the purpose of phishing. To avoid detection, an attacker may add an email address to the SES account for a short period to perform a phishing attack and then remove it shortly after.

Triage and response

Determine if the API call: {{@evt.name}} should have been made by the user: {{@userIdentity.arn}} from this IP address: {{@network.client.ip}} .
If the action is legitimate, consider including the user in a suppression list. See [Best practices for creating detection rules with Datadog Cloud SIEM][3] for more information.
If the action shouldn’t have happened:
- Contact the user: {{@userIdentity.arn}} and see if they made the API call.
- Use the Cloud SIEM - User Investigation dashboard to see if the user {{@userIdentity.arn}} has taken other actions.
- Use the Cloud SIEM - IP Investigation dashboard to see if there’s more traffic from the IP {{@network.client.ip}}.
If the results of the triage indicate that an attacker has taken the action, initiate your company’s incident response process, as well as an investigation.