heroui logo

AWS GuardDuty Detection Suppression

Elastic Detection Rules

View Source
Summary
This rule detects attempts to suppress or blind Amazon GuardDuty without deleting the detector. It monitors CloudTrail events from the GuardDuty service for three suppression techniques: (1) CreateIPSet/UpdateIPSet with activate set to true, which can whitelist attacker-controlled addresses so their activity is ignored; (2) CreateThreatIntelSet/UpdateThreatIntelSet with activate set to true, which can alter the threat intel feed GuardDuty uses to flag malicious activity; (3) UpdateDetector with Enable set to false, which quietly disables GuardDuty while preserving configuration and findings. The detector itself remains intact, meaning detections that only look for detector deletion will miss these actions. The query targets aws.cloudtrail logs where event.provider is guardduty.amazonaws.com, event.outcome is success, and the relevant actions with the proper request_parameters. Investigators should examine which actor performed the change, what was modified (detectorId, IP set location/name, threat intel feed location, or enable flag), and whether the changes align with established change management. Cross-reference with other defense evasion activity (e.g., detector deletion, IAM privilege changes) and review source context (IP, user agent, geo). If unauthorized, revert changes, re-enable the detector, and tighten permissions to guardduty:CreateIPSet, guardduty:UpdateIPSet, guardduty:CreateThreatIntelSet, guardduty:UpdateThreatIntelSet, and guardduty:UpdateDetector.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1562
  • T1562.001
Created: 2026-07-13