Skip to main content

AWS API calls indicating tampering with SecurityHub findings

ID:aws_securityhub_finding_evasion
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected AWS API calls indicating potential tampering with SecurityHub findings. The actions include BatchUpdateFindings, DeleteInsight, UpdateFindings, and UpdateInsight. These API calls can be used to modify or delete security findings and insights within AWS SecurityHub, potentially allowing threat actors to conceal their activity and maintain unauthorized access to the system.

Impact

Tampering with AWS SecurityHub findings can hinder an organization's ability to detect and respond to security threats. By altering or deleting security findings and insights, threat actors can prolong their presence in the AWS environment, increase the risk of data breaches, and complicate forensic analysis.

Severity

SeverityCondition
Low
AWS API calls indicating tampering with SecurityHub findings

Investigation and Remediation

Review AWS CloudTrail logs to identify the AWS IAM user or role responsible for these actions. Verify if these actions were authorized and part of a legitimate business process. If unauthorized, revoke the associated credentials, restore AWS SecurityHub findings where possible, and conduct a thorough security assessment of the AWS environment to detect other signs of compromise.

Known False Positives

  • Automated scripts or third-party security tools integrated with AWS SecurityHub performing authorized updates
  • Administrative actions by authorized users managing AWS SecurityHub findings