T1648 | LoFP

T1648

Title	Tags
lambda function owners or deployment pipelines may legitimately add or update layers as part of normal development and maintenance workflows. confirm that the layer addition aligns with approved changes, expected ci/cd behavior, or routine dependency updates. known automation roles or build systems can be excluded if they consistently perform authorized modifications.	T1648 aws elastic
legitimate changes to lambda functions can trigger this signal. ensure that the changes are authorized and align with your organization's policies.	T1648 rules_building_block elastic
verify whether the user identity should be using the triggered api. if known behavior is causing false positives, it can be exempted from the rule. the \"history_window_start\" value can be modified to reflect the expected frequency of known activity within a particular environment.	T1648 aws elastic