Detectionhighexperimental
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic5 selectors
detection:
selection_event_source:
eventSource: 'guardduty.amazonaws.com'
selection_action_delete:
eventName: 'DeleteDetector'
selection_action_update:
eventName: 'UpdateDetector'
requestParameters.enable: 'false'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*False Positives
Legitimate detector deletion by an admin (e.g., during account decommissioning).
Temporary disablement for troubleshooting (verify via change management tickets).
Automated deployment tools (e.g. Terraform) managing GuardDuty state.
References
123456789101112
Resolving title…
docs.aws.amazon.comResolving title…
docs.aws.amazon.comResolving title…
docs.aws.amazon.comResolving title…
docs.datadoghq.comResolving title…
docs.prismacloud.ioResolving title…
docs.stellarcyber.aiResolving title…
github.comResolving title…
github.comResolving title…
help.fortinet.comResolving title…
research.splunk.comResolving title…
suktech24.comResolving title…
atomicredteam.ioMITRE ATT&CK
Rule Metadata
Rule ID
d2656e78-c069-4571-8220-9e0ab5913f19
Status
experimental
Level
high
Type
Detection
Created
Thu Nov 27
Author
Path
rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml
Raw Tags
attack.defense-evasionattack.t1562.001attack.t1562.008