This alert detects when a backup for a DynamoDB table is deleted. Deleting a backup makes it impossible to recover the table in case of any failures. Impact Threat actors delete database backups to impact the normal business operations of an organization. Mitigation 1. Validate if the relevant user is aware of the action. 2. If there is a suspicion that the user was compromised, disable the user and block their access to the AWS console and account. 3. Create a new backup entry for the relevant table. MITRE Tactic: TA0040 MITRE Technique: T1490

This alert detects whenever single or multiple items in the DynamoDB table are deleted. This alert may throw potential false positives as administrators and power users may delete table records for administrative activities so it can be fine-tuned according to specific machines or user groups. Impact After an adversary has access to your DynamoDB database and has the necessary permissions, it can delete database table items/records in order to disrupt an organization's business operations. Mitigation Validate if this action was legitimate. If not, investigate it further. Additionally, administrators can check database user accounts for any excessive privileges to delete database records. Take regular database backups so that database tables can be recovered in the case when the deletion was not intentional. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

Multiple DynamoDB tables were deleted (More than 5 in 10 minutes). when a DynamoDB table is deleted all the data that is stored in these tables will be lost if there were no recovery points configured. Malicious actors might try to delete DynamoDB tables in order to harm the company or after exfiltrating the data in order to extort a ransom. Impact The potential loss of critical business data. Mitigation Validate with the relevant user if he was the one to perform the action. If there is a suspicion that the user was compromised, disable the user and block his access to the AWS console and account. If needed, recover the table from the newest available recovery point. MITRE Tactic: TA0040 MITRE Technique: T1490

This alert will trigger when more than 5 tables were created under 10 minutes. DynamoDB tables are used to store different data inside of them a malicious actor might try to create his own table in order to try and export sensitive information from the organization without anyone noticing. Impact In case of malicious actors actions sensitive data can be stolen. Mitigation Validate with the relevant user the reason for the creation of multiple tables. If needed, delete the newly created tables. if needed, further investigate according to company policy. MITRE Tactic: TA0040 MITRE Technique: T1565

This alert detects when deletion protection on a database table is disabled. Deletion Protection makes sure that a DynamoDB table doesn't get accidentally deleted. It is useful for database tables having mission-critical or production data. Impact A threat actor may disable deletion protection on a database table so that they can delete the table later and thus can impact the business operations of an organization. Mitigation Check if disabling the deletion protection was authorized, if not, revert the action and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001

This alert detects whenever a DynamoDB table items are scanned for its metadata or attributes. Impact A threat actor can scan a DynamoDB table to understand its structure and the records it contains. They can then leverage that data to perform malicious operations. Mitigation Check if this activity was legitimate. If not, investigate further. MITRE Tactic: TA0043 MITRE Technique: T1596 MITRE Sub-Technique: 005

This alert detects whenever the DynamoDB database has a new activity by a user from a new geo-location. Please note that this alert will be active (after being deployed) after the configured alert time window which in this case is 72 hours. This is in order for the algorithm to train on the new values for the key tracked, capture the baseline as well as prevent false notifications. Impact New region/country activity can indicate malicious activity by a threat actor. Mitigation Check if the activity from the originating country should have been permitted or not. If there is no business with the country in question, it is recommended to apply geo-blocking on that country and investigate if any suspicious activities are followed in the network. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert detects whenever a DynamoDB tables item's attributes are updated or a new item is added to the table. Impact After an adversary has access to your DynamoDB database and has the necessary permissions they can update the database tables to modify the database tables records. They can also escalate their privileges and maintain persistence in the network by modifying the database table records. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001

This alert detects when DynamoDB table backups associated with an AWS account are listed. Note that each time you create an on-demand backup, the entire table data is backed up. There is no limit to the number of on-demand backups that can be taken. Impact A threat actor can list the DynamoDB table backups to understand which tables have backups. They can then delete them in addition to deleting the original tables so that legitimate users can't recover the lost data. This can impact the normal business operations of an organization. Mitigation 1. Check whether this action is legitimate and the user is aware of it. 2. If there is a suspicion that the user was compromised, disable the user and block their access to the AWS console and account. MITRE Tactic: TA0040 MITRE Technique: T1490

This alert detects when a user modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table more than 5 times in a time duration of 10 minutes. Impact After an adversary has access to your DynamoDB database and has the necessary permissions they can update the database tables to modify the database tables settings/records. They can also escalate their privileges and maintain persistence in the network by modifying the database tables settings/records. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1505 MITRE Sub-Technique: 001