Techniques
Sample rules
AWS GuardDuty Detector Deleted Or Updated
- source: sigma
- technicques:
- t1562
- t1562.001
- t1562.008
Description
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
Detection logic
condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
selection_action_delete:
eventName: DeleteDetector
selection_action_update:
eventName: UpdateDetector
requestParameters.enable: 'false'
selection_event_source:
eventSource: guardduty.amazonaws.com
selection_status_null:
errorCode: null
selection_status_success:
errorCode: Success