AWS GuardDuty Detector Deleted Or Updated

Rule Info

Name
AWS GuardDuty Detector Deleted Or Updated
Author
suktech24
Description
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate.
Reference
https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
Date
2025-11-27 00:00:00
Modified
None
Id
d2656e78-c069-4571-8220-9e0ab5913f19
Tags
attack.defense-evasion attack.t1562.001 attack.t1562.008
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d2656e78-c069-4571-8220-9e0ab5913f19

Rule History

Author
Title
Date
Commit
suKTech24
Merge PR #5536 from @suKTech24 - Add `AWS GuardDuty Detector Deleted Or Updated`
2025-11-28
3565dee3e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022