AWS API calls indicating tampering with Security Hub findings
Description
AlphaSOC detected AWS API calls indicating potential tampering with Security Hub
findings. The actions include BatchUpdateFindings, DeleteInsight,
UpdateFindings, and UpdateInsight. These API calls can be used to modify or
delete security findings and insights within AWS Security Hub, potentially
allowing threat actors to conceal their activity and maintain unauthorized
access to the system.
Impact
Tampering with AWS Security Hub findings can hinder an organization's ability to detect and respond to security threats. By altering or deleting security findings and insights, threat actors can prolong their presence in the AWS environment, increase the risk of data breaches, and complicate forensic analysis.
Severity
| Severity | Condition |
|---|---|
Low | AWS API calls indicating tampering with Security Hub findings |
Investigation and Remediation
Review AWS CloudTrail logs to identify the AWS IAM user or role responsible for these actions. Verify if these actions were authorized and part of a legitimate business process. If unauthorized, revoke the associated credentials, restore AWS Security Hub findings where possible, and conduct a thorough security assessment of the AWS environment to detect other signs of compromise.
Known False Positives
- Automated scripts or third-party security tools integrated with AWS Security Hub performing authorized updates
- Administrative actions by authorized users managing AWS Security Hub findings