Techniques
Sample rules
AWS GuardDuty Important Change
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
Detection logic
condition: selection_source
selection_source:
eventName: CreateIPSet
eventSource: guardduty.amazonaws.com