AWS API calls indicating tampering with SecurityHub findings
Description
AlphaSOC detected AWS API calls indicating potential tampering with SecurityHub
findings. The actions include BatchUpdateFindings
, DeleteInsight
,
UpdateFindings
, and UpdateInsight
. These API calls can be used to modify or
delete security findings and insights within AWS SecurityHub, potentially
allowing threat actors to conceal their activity and maintain unauthorized
access to the system.
Impact
Tampering with AWS SecurityHub findings can hinder an organization's ability to detect and respond to security threats. By altering or deleting security findings and insights, threat actors can prolong their presence in the AWS environment, increase the risk of data breaches, and complicate forensic analysis.
Severity
Severity | Condition |
---|---|
Low | AWS API calls indicating tampering with SecurityHub findings |
Investigation and Remediation
Review AWS CloudTrail logs to identify the AWS IAM user or role responsible for these actions. Verify if these actions were authorized and part of a legitimate business process. If unauthorized, revoke the associated credentials, restore AWS SecurityHub findings where possible, and conduct a thorough security assessment of the AWS environment to detect other signs of compromise.
Known False Positives
- Automated scripts or third-party security tools integrated with AWS SecurityHub performing authorized updates
- Administrative actions by authorized users managing AWS SecurityHub findings