title: AWS Macie Evasion
id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
status: experimental
description: Detects evade to Macie detection.
author: Sittikorn S
date: 2021/07/06
references:
    - https://docs.aws.amazon.com/cli/latest/reference/macie/
tags:
    - attack.defense_evasion
    - attack.t1562.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventName:
            - 'ArchiveFindings'
            - 'CreateFindingsFilter'
            - 'DeleteMember'
            - 'DisassociateFromMasterAccount'
            - 'DisassociateMember'
            - 'DisableMacie'
            - 'DisableOrganizationAdminAccount'
            - 'UpdateFindingsFilter'
            - 'UpdateMacieSession'
            - 'UpdateMemberSession'
            - 'UpdateClassificationJob'
    timeframe: 10m
    condition: selection
fields:
    - sourceIPAddress
    - userIdentity.arn
falsepositives:
    - System or Network administrator behaviors
level: medium