defense_evasion_guardduty_detector_deletion.toml

[metadata]
creation_date = "2020/05/28"
maturity = "production"
updated_date = "2020/12/09"

[rule]
author = ["Elastic"]
description = """
Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and
all existing findings are lost.
"""
false_positives = [
    """
    The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user
    agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS GuardDuty Detector Deletion"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
    "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html",
]
risk_score = 73
rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
severity = "high"
tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"]
type = "query"

query = '''
event.action:DeleteDetector and event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.outcome:success
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"