AWS GuardDuty Detector Deletion

  1[metadata]
  2creation_date = "2020/05/28"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the deletion of an Amazon GuardDuty detector. GuardDuty provides continuous monitoring for malicious or
 11unauthorized activity across AWS accounts. Deleting the detector disables this visibility, stopping all threat detection
 12and removing existing findings. Adversaries may delete GuardDuty detectors to impair security monitoring and evade
 13detection during or after an intrusion. This rule identifies successful "DeleteDetector" API calls and can indicate a
 14deliberate defense evasion attempt.
 15"""
 16false_positives = [
 17    """
 18    The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user
 19    agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts
 20    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 21    """,
 22]
 23from = "now-6m"
 24index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 25language = "kuery"
 26license = "Elastic License v2"
 27name = "AWS GuardDuty Detector Deletion"
 28note = """## Triage and analysis
 29
 30### Investigating AWS GuardDuty Detector Deletion
 31
 32Amazon GuardDuty is a continuous threat detection service that analyzes CloudTrail, DNS, and VPC Flow Logs to identify malicious activity and compromised resources. Deleting a GuardDuty detector stops this monitoring entirely and permanently removes all historical findings for the affected AWS account. This rule detects successful `DeleteDetector` API calls, which may represent an attacker attempting to impair defenses and evade detection. Such actions should be rare and always performed under controlled administrative change processes.
 33
 34#### Possible investigation steps
 35
 36- **Identify the actor**
 37  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` to determine who initiated the deletion.
 38  - Verify whether this principal normally performs GuardDuty configuration or administrative tasks.
 39
 40- **Review request context**
 41  - Check `aws.cloudtrail.request_parameters` and `cloud.region` to confirm the targeted GuardDuty detector and scope of impact.
 42  - Determine whether multiple detectors or member accounts were affected (especially in delegated admin organizations).
 43
 44- **Analyze source and access patterns**
 45  - Review `source.ip`, `user_agent.original` and `source.geo` fields for anomalous or previously unseen access locations or automation clients.
 46  - Check whether the deletion occurred outside standard maintenance windows or during a concurrent suspicious activity window.
 47
 48- **Correlate with preceding or related activity**
 49  - Search for earlier GuardDuty configuration changes:
 50    - `StopMonitoringMembers`, `DisassociateMembers`, or `DeleteMembers`
 51    - IAM role or policy modifications reducing GuardDuty privileges
 52  - Look for other defense evasion indicators such as CloudTrail suspension, Security Hub configuration changes, or disabling of AWS Config rules.
 53
 54- **Review historical GuardDuty findings**
 55  - Examine prior GuardDuty alerts and findings (if still retrievable) to determine whether the deletion followed significant detection activity.
 56  - Use centralized logs or security data lakes to recover findings removed from the console.
 57
 58### False positive analysis
 59
 60- **Authorized administrative actions**
 61  - Verify whether the deletion corresponds to legitimate account decommissioning, region cleanup, or migration activity.
 62- **Automation or IaC**
 63  - GuardDuty may be disabled temporarily during infrastructure provisioning or teardown in automated environments. 
 64    Confirm via CI/CD logs or Infrastructure-as-Code templates.
 65- **Organizational configuration changes**
 66  - Large organizations might consolidate GuardDuty under a delegated administrator account, causing detectors to be deleted in member accounts. 
 67    Validate these actions against security architecture changes.
 68
 69### Response and remediation
 70
 71- **Containment and restoration**
 72  - If unauthorized, immediately re-enable GuardDuty in the affected account and region using the `CreateDetector` API or AWS console.
 73  - Verify that findings aggregation and member account associations are restored to expected configurations.
 74
 75- **Investigation**
 76  - Review CloudTrail for related privilege escalation or resource tampering events around the deletion time.
 77  - Assess whether any attacker activity occurred during the monitoring gap between deletion and restoration.
 78
 79- **Recovery and hardening**
 80  - Restrict `guardduty:DeleteDetector` permissions to a limited administrative role.
 81  - Implement AWS Config rules or Security Hub controls to alert on changes to GuardDuty detectors or configuration states.
 82  - Enforce least privilege IAM policies, ensuring operational automation cannot disable GuardDuty outside maintenance workflows.
 83  - Document approved GuardDuty maintenance activities and correlate them with change tickets for traceability.
 84
 85### Additional information
 86- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 87- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 88- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
 89"""
 90references = [
 91    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html",
 92]
 93risk_score = 73
 94rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
 95severity = "high"
 96tags = [
 97    "Domain: Cloud",
 98    "Data Source: AWS",
 99    "Data Source: Amazon Web Services",
100    "Data Source: AWS GuardDuty",
101    "Tactic: Defense Evasion",
102    "Resources: Investigation Guide",
103]
104timestamp_override = "event.ingested"
105type = "query"
106
107query = '''
108event.dataset: aws.cloudtrail 
109  and event.provider: guardduty.amazonaws.com 
110  and event.action: DeleteDetector 
111  and event.outcome: success
112'''
113
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117[[rule.threat.technique]]
118id = "T1562"
119name = "Impair Defenses"
120reference = "https://attack.mitre.org/techniques/T1562/"
121[[rule.threat.technique.subtechnique]]
122id = "T1562.001"
123name = "Disable or Modify Tools"
124reference = "https://attack.mitre.org/techniques/T1562/001/"
125
126
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"
132
133[rule.investigation_fields]
134field_names = [
135    "@timestamp",
136    "user.name",
137    "user_agent.original",
138    "source.ip",
139    "aws.cloudtrail.user_identity.arn",
140    "aws.cloudtrail.user_identity.type",
141    "aws.cloudtrail.user_identity.access_key_id",
142    "event.action",
143    "event.outcome",
144    "cloud.account.id",
145    "cloud.region",
146    "aws.cloudtrail.request_parameters",
147]