Detectionhightest

AWS GuardDuty Important Change

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

falokerCreated Tue Feb 11Updated Sun Oct 096e61ee20-ce00-4f8d-8aee-bedd8216f7e3cloud

Log Source

AWScloudtrail

ProductAWS← raw: aws

Servicecloudtrail← raw: cloudtrail

Detection Logic

detection:
    selection_source:
        eventSource: guardduty.amazonaws.com
        eventName: CreateIPSet
    condition: selection_source

False Positives

Valid change in the GuardDuty (e.g. to ignore internal scanners)

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

6e61ee20-ce00-4f8d-8aee-bedd8216f7e3

Status

test

Level

high

Type

Detection

Created

Tue Feb 11

Modified

Sun Oct 09

Author

Path

rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml

Raw Tags

attack.defense-evasionattack.t1562.001