This alert triggers if new Lambda Functions have been created which can be used to perform actions. Impact If a threat actor gains unauthorized access to your AWS account, they may create new Lambda functions for malicious purposes, such as running unauthorized code or executing denial-of-service (DoS) attacks. Mitigation Check if the action was legitimate and if the created function is not malicious. If not, investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007

This alert triggers when a Lambda function is deleted. To delete a specific function version, use the Qualifier parameter. Otherwise, all versions and aliases are deleted. Impact Deleting a Lambda function will immediately stop any ongoing executions and prevent any further invocations. It's important to ensure that there are no critical processes or dependencies relying on the function at the time of deletion. Mitigation Check if the action was legitimate. if not, investigate further for any malicious activities. Additionally, before deleting a Lambda function, make sure to communicate with relevant stakeholders and check if there are any active processes that might be affected. You can also consider setting up alarms or notifications to alert you before deleting any important functions. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert triggers when the version-specific settings of a Lambda function are modified. Impact Modifying version-specific settings may result in compatibility issues with the code deployed in that specific version. Changes to environment variables, execution role permissions, or other settings can cause unexpected behavior if they're not aligned with the deployed code. Mitigation Validate if the user was authorized to perform the update action and if the action was legitimate. If not, revert the action and investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007

This alert triggers when an AWS Lambda function resource-based policy is modified by an IAM user. Impact An attacker might modify an AWS Lambda function's resource-based policy in order to maintain persistence or allow its invocation from an external account. Mitigation Validate if the IAM user was authorized to perform the modification and if the action was legitimate. If not, revert the action and investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007

This alert triggers when an IAM user modifies an AWS Lambda function. Impact An attacker might modify a lambda function in order to maintain persistence or exfiltrate data being processed at runtime within an AWS environment. Mitigation Validate if the IAM user was authorized to perform the modification and if the action was legitimate. If not, revert the action and investigate further. MITRE Tactic: TA0042 MITRE Technique: T1584 MITRE Sub-Technique: 007