--- title: Amazon SES modification attempt description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > Amazon SES modification attempt --- # Amazon SES modification attempt Classification:attackTactic:[TA0040-impact](https://attack.mitre.org/tactics/TA0040)Technique:[T1496-resource-hijacking](https://attack.mitre.org/techniques/T1496) ## Goal{% #goal %} Detect when the Amazon Simple Email Service (SES) has been modified. An attacker could modify the AWS Simple Email Service to propagate large scale phishing email campaigns. ## Strategy{% #strategy %} Monitor CloudTrail and detect when the Amazon SES has been modified with one of the following API calls: - [VerifyEmailIdentity](https://docs.aws.amazon.com/ses/latest/APIReference/API_VerifyEmailIdentity.html) - [CreateEmailIdentity](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_CreateEmailIdentity.html) - [DeleteIdentity](https://docs.aws.amazon.com/ses/latest/APIReference/API_DeleteIdentity.html) - [DeleteEmailIdentity](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DeleteEmailIdentity.html) ## Triage and response{% #triage-and-response %} 1. Determine if the API call: `{{@evt.name}}` should have been made by the user: `{{@userIdentity.arn}}` from this IP address : `{{@network.client.ip}}` . 1. If the action is legitimate, consider including the user in a suppression list. See [Best practices for creating detection rules with Datadog Cloud SIEM](https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise) for more information. 1. If it shouldn't have been made: - Contact the user: `{{@userIdentity.arn}}` and see if they made the API call. - Use the Cloud SIEM - User Investigation dashboard to see if the user `{{@userIdentity.arn}}` has taken other actions. - Use the Cloud SIEM - IP Investigation dashboard to see if there's more traffic from the IP `{{@network.client.ip}}`. 1. If the results of the triage indicate that an attacker has taken the action, begin your company's incident response process and an investigation. ## Changelog{% #changelog %} - 17 August 2023 - Updated query to replace attribute `@threat_intel.results.subcategory:tor` with `@threat_intel.results.category:tor`. - 1 May 2024 - Updated queries because coverage existed in other OOTB detection rules.