AWS Detective graph deleted
Description
AlphaSOC detected the deletion of an Amazon Detective behavior graph. Amazon Detective uses behavior graphs to analyze and link data from multiple AWS accounts to identify potential security threats. This finding indicates that detection capabilities may have been intentionally disabled to evade security monitoring or forensic investigation.
Impact
Deleting Detective graphs eliminates historical security analysis data and disrupts active threat investigations. Adversaries often attempt to destroy security monitoring capabilities to hide their activities and prevent detection of other malicious actions within the AWS environment.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Detective graph deleted |
Investigation and Remediation
Review CloudTrail logs to identify the user or role that deleted the Detective graph. Determine if the deletion was authorized. If unauthorized, restore the graph if possible, investigate any related suspicious activities, and review IAM permissions that allow graph deletion.