AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
Sigma rule (View on GitHub)
1title: AWS GuardDuty Detector Deleted Or Updated
2id: d2656e78-c069-4571-8220-9e0ab5913f19
3status: experimental
4description: |
5 Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
6 Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
7 Verify with the user identity that this activity is legitimate.
8references:
9 - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
10 - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
11 - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
12 - https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
13 - https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
14 - https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
15 - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
16 - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
17 - https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
18 - https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
19 - https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
20 - https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
21author: suktech24
22date: 2025-11-27
23tags:
24 - attack.defense-impairment
25 - attack.t1685
26 - attack.t1685.002
27logsource:
28 product: aws
29 service: cloudtrail
30detection:
31 selection_event_source:
32 eventSource: 'guardduty.amazonaws.com'
33 selection_action_delete:
34 eventName: 'DeleteDetector'
35 selection_action_update:
36 eventName: 'UpdateDetector'
37 requestParameters.enable: 'false'
38 selection_status_success:
39 errorCode: 'Success'
40 selection_status_null:
41 errorCode: null
42 condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
43falsepositives:
44 - Legitimate detector deletion by an admin (e.g., during account decommissioning).
45 - Temporary disablement for troubleshooting (verify via change management tickets).
46 - Automated deployment tools (e.g. Terraform) managing GuardDuty state.
47level: high
References
-
-
-
-
-
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More -
-
Date: 2025-01-23 ID: 5d8bd475-c8bc-4447-b27f-efa508728b90 Author: Patrick Bareiss, Splunk Description Logs the deletion of an Amazon GuardDuty detector, including details about the detector ID and associated configurations. Details Property Value Source aws_cloudtrail Sourcetype aws:cloudtrail Separator eventName Related Detections Name ▲▼ Technique ▲▼ Type ▲▼ AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs TTP Supported Apps Splunk Add-on for AWS (version 8.1.0) Event Fields + Fields <span class="pill kill-chain">_time</span> <span class="pill kill-chain">app</span> <span class="pill kill-chain">awsRegion</span> <span class="pill kill-chain">aws_account_id</span> <span class="pill kill-chain">command</span> <span class="pill kill-chain">date_hour</span> <span class="pill kill-chain">date_mday</span> <span class="pill kill-chain">date_minute</span> <span class="pill kill-chain">date_month</span> <span class="pill kill-chain">date_second</span> <span class="pill kill-chain">date_wday</span> <span class="pill kill-chain">date_year</span> <span class="pill kill-chain">date_zone</span> <span class="pill kill-chain">dest</span> <span class="pill kill-chain">dvc</span> <span class="pill kill-chain">errorCode</span> <span class="pill kill-chain">eventCategory</span> <span class="pill kill-chain">eventID</span> <span class="pill kill-chain">eventName</span> <span class="pill kill-chain">eventSource</span> <span class="pill kill-chain">eventTime</span> <span class="pill kill-chain">eventType</span> <span class="pill kill-chain">eventVersion</span> <span class="pill kill-chain">eventtype</span> <span class="pill kill-chain">host</span> <span class="pill kill-chain">index</span> <span class="pill kill-chain">linecount</span> <span class="pill kill-chain">managementEvent</span> <span class="pill kill-chain">msg</span> <span class="pill kill-chain">object_category</span> <span class="pill kill-chain">product</span> <span class="pill kill-chain">punct</span> <span class="pill kill-chain">readOnly</span> <span class="pill kill-chain">recipientAccountId</span> <span class="pill kill-chain">region</span> <span class="pill kill-chain">requestID</span> <span class="pill kill-chain">requestParameters.
Read More -
Weekly #11-2025 – By suktech24, Thurs 17 July 2025, Estimated reading time : 10 mins In this week, I am diving into one threat detection rule : AWS GuardDuty detector disabled or suspended. Before …
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder