LoFP / guardduty member relationships may be modified during legitimate organizational changes such as account migrations, security architecture restructuring, or delegated administrator transitions. verify whether the user identity and timing align with approved change management processes. if this is expected administrative activity, it can be exempted from the rule.

Techniques

• T1562

Sample rules

AWS GuardDuty Member Account Manipulation

• source: elastic
• technicques:
  • T1562

Description

Detects attempts to disassociate or manipulate Amazon GuardDuty member accounts within an AWS organization. In multi-account GuardDuty deployments, a delegated administrator account aggregates findings from member accounts. Adversaries may attempt to disassociate member accounts, delete member relationships, stop monitoring members, or delete pending invitations to break this centralized visibility. These actions can be precursors to or alternatives for deleting GuardDuty detectors entirely, allowing attackers to operate undetected in member accounts while the administrator account loses visibility. This rule identifies successful API calls that manipulate GuardDuty member relationships, which are rare in normal operations and warrant immediate investigation.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "guardduty.amazonaws.com"
    and event.action: (
        "DisassociateFromAdministratorAccount" or
        "DeleteMembers" or
        "StopMonitoringMembers" or
        "DeleteInvitations" or
        "DisassociateMembers"
    )
    and event.outcome: "success"