← Library
sigmaDRL-1.1from SigmaHQ/sigma

AWS GuardDuty Detector Deleted Or Updated

Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.

Quality
68
FP risk
Forks
0
Views
0
ATT&CK techniques
T1562.001T1562.008
Rule sourcerules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml
title: AWS GuardDuty Detector Deleted Or Updated
id: d2656e78-c069-4571-8220-9e0ab5913f19
status: experimental
description: |
    Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
    Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
    Verify with the user identity that this activity is legitimate.
references:
    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
    - https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
    - https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
    - https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
    - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
    - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
    - https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
    - https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
    - https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
    - https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
author: suktech24
date: 2025-11-27
tags:
    - attack.defense-evasion
    - attack.t1562.001
    - attack.t1562.008
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_event_source:
        eventSource: 'guardduty.amazonaws.com'
    selection_action_delete:
        eventName: 'DeleteDetector'
    selection_action_update:
        eventName: 'UpdateDetector'
        requestParameters.enable: 'false'
    selection_status_success:
        errorCode: 'Success'
    selection_status_null:
        errorCode: null
    condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
falsepositives:
    - Legitimate detector deletion by an admin (e.g., during account decommissioning).
    - Temporary disablement for troubleshooting (verify via change management tickets).
    - Automated deployment tools (e.g. Terraform) managing GuardDuty state.
level: high