AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
Sigma rule (View on GitHub)
1title: AWS GuardDuty Detector Deleted Or Updated
2id: d2656e78-c069-4571-8220-9e0ab5913f19
3status: experimental
4description: |
5 Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
6 Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
7 Verify with the user identity that this activity is legitimate.
8references:
9 - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
10 - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
11 - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
12 - https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
13 - https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
14 - https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
15 - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
16 - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
17 - https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
18 - https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
19 - https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
20 - https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
21author: suktech24
22date: 2025-11-27
23tags:
24 - attack.defense-evasion
25 - attack.t1562.001
26 - attack.t1562.008
27logsource:
28 product: aws
29 service: cloudtrail
30detection:
31 selection_event_source:
32 eventSource: 'guardduty.amazonaws.com'
33 selection_action_delete:
34 eventName: 'DeleteDetector'
35 selection_action_update:
36 eventName: 'UpdateDetector'
37 requestParameters.enable: 'false'
38 selection_status_success:
39 errorCode: 'Success'
40 selection_status_null:
41 errorCode: null
42 condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
43falsepositives:
44 - Legitimate detector deletion by an admin (e.g., during account decommissioning).
45 - Temporary disablement for troubleshooting (verify via change management tickets).
46 - Automated deployment tools (e.g. Terraform) managing GuardDuty state.
47level: high
References
-
-
-
-
-
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More -
-
AWS GuardDuty Detector Deleted Rule ID PH_Rule_ES_IMPORT_AWS_11 Default Status Enabled Description Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring...
Read More -
Date: 2025-01-23 ID: 5d8bd475-c8bc-4447-b27f-efa508728b90 Author: Patrick Bareiss, Splunk Description Logs the deletion of an Amazon GuardDuty detector, including details about the detector ID and associated configurations. Details Property Value Source aws_cloudtrail Sourcetype aws:cloudtrail Separator eventName Supported Apps Splunk Add-on for AWS (version 8.0.0) Event Fields + Fields <span class="pill kill-chain">_time</span> <span class="pill kill-chain">app</span> <span class="pill kill-chain">awsRegion</span> <span class="pill kill-chain">aws_account_id</span> <span class="pill kill-chain">command</span> <span class="pill kill-chain">date_hour</span> <span class="pill kill-chain">date_mday</span> <span class="pill kill-chain">date_minute</span> <span class="pill kill-chain">date_month</span> <span class="pill kill-chain">date_second</span> <span class="pill kill-chain">date_wday</span> <span class="pill kill-chain">date_year</span> <span class="pill kill-chain">date_zone</span> <span class="pill kill-chain">dest</span> <span class="pill kill-chain">dvc</span> <span class="pill kill-chain">errorCode</span> <span class="pill kill-chain">eventCategory</span> <span class="pill kill-chain">eventID</span> <span class="pill kill-chain">eventName</span> <span class="pill kill-chain">eventSource</span> <span class="pill kill-chain">eventTime</span> <span class="pill kill-chain">eventType</span> <span class="pill kill-chain">eventVersion</span> <span class="pill kill-chain">eventtype</span> <span class="pill kill-chain">host</span> <span class="pill kill-chain">index</span> <span class="pill kill-chain">linecount</span> <span class="pill kill-chain">managementEvent</span> <span class="pill kill-chain">msg</span> <span class="pill kill-chain">object_category</span> <span class="pill kill-chain">product</span> <span class="pill kill-chain">punct</span> <span class="pill kill-chain">readOnly</span> <span class="pill kill-chain">recipientAccountId</span> <span class="pill kill-chain">region</span> <span class="pill kill-chain">requestID</span> <span class="pill kill-chain">requestParameters.
Read More -
Weekly #11-2025 – By suktech24, Thurs 17 July 2025, Estimated reading time : 10 mins In this week, I am diving into one threat detection rule : AWS GuardDuty detector disabled or suspended. Before …
Read More
Related rules
- Add SafeBoot Keys Via Reg Utility
- Dism Remove Online Package
- Hypervisor Enforced Code Integrity Disabled
- Removal Of AMSI Provider Registry Keys
- Cisco Disabling Logging