Back
Id9da99021-d318-4711-a78a-6dea76129b3a
RulenameAWSCloudTrail - AWS GuardDuty detector disabled or suspended
DescriptionIdentifies AWS GuardDuty detectors being disabled or suspended. This behavior can indicate defense evasion and should be validated with the initiating identity and approved administrative activity.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
Version1.0.3
Arm template9da99021-d318-4711-a78a-6dea76129b3a.json
Deploy To Azure
AWSCloudTrail
| where (EventName == "DeleteDetector" and isempty(ErrorCode) and isempty( ErrorMessage)) or (EventName == "UpdateDetector" and tostring(parse_json(RequestParameters).enable) == "false" and isempty(ErrorCode) and isempty( ErrorMessage))
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
status: Available
query: |
  AWSCloudTrail
  | where (EventName == "DeleteDetector" and isempty(ErrorCode) and isempty( ErrorMessage)) or (EventName == "UpdateDetector" and tostring(parse_json(RequestParameters).enable) == "false" and isempty(ErrorCode) and isempty( ErrorMessage))
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
queryPeriod: 1d
relevantTechniques:
- T1562
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
id: 9da99021-d318-4711-a78a-6dea76129b3a
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
tactics:
- DefenseEvasion
triggerOperator: gt
name: AWSCloudTrail - AWS GuardDuty detector disabled or suspended
customDetails:
  UserName: UserName
  EventName: EventName
  SourceIpAddress: SourceIpAddress
  UserIdentityArn: UserIdentityArn
triggerThreshold: 0
severity: High
alertDetailsOverride:
  alertDescriptionFormat: AWS GuardDuty detector activity {{EventName}} was detected for {{AccountName}} from {{SourceIpAddress}}.
  alertDisplayNameFormat: AWS GuardDuty detector disabled or suspended by {{AccountName}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
description: |
  Identifies AWS GuardDuty detectors being disabled or suspended. This behavior can indicate defense evasion and should be validated with the initiating identity and approved administrative activity.
version: 1.0.3
queryFrequency: 1d
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9da99021-d318-4711-a78a-6dea76129b3a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9da99021-d318-4711-a78a-6dea76129b3a')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS GuardDuty detector activity {{EventName}} was detected for {{AccountName}} from {{SourceIpAddress}}.",
          "alertDisplayNameFormat": "AWS GuardDuty detector disabled or suspended by {{AccountName}}"
        },
        "alertRuleTemplateName": "9da99021-d318-4711-a78a-6dea76129b3a",
        "customDetails": {
          "EventName": "EventName",
          "SourceIpAddress": "SourceIpAddress",
          "UserIdentityArn": "UserIdentityArn",
          "UserName": "UserName"
        },
        "description": "Identifies AWS GuardDuty detectors being disabled or suspended. This behavior can indicate defense evasion and should be validated with the initiating identity and approved administrative activity.\n",
        "displayName": "AWSCloudTrail - AWS GuardDuty detector disabled or suspended",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              },
              {
                "columnName": "RecipientAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml",
        "query": "AWSCloudTrail\n| where (EventName == \"DeleteDetector\" and isempty(ErrorCode) and isempty( ErrorMessage)) or (EventName == \"UpdateDetector\" and tostring(parse_json(RequestParameters).enable) == \"false\" and isempty(ErrorCode) and isempty( ErrorMessage))\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n  AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}