Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - AWS GuardDuty detector disabled or suspended

AWSCloudTrail - AWS GuardDuty detector disabled or suspended

Back
Id9da99021-d318-4711-a78a-6dea76129b3a
RulenameAWSCloudTrail - AWS GuardDuty detector disabled or suspended
DescriptionIdentifies AWS GuardDuty detectors being disabled or suspended. This behavior can indicate defense evasion and should be validated with the initiating identity and approved administrative activity.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDutyDisabled.yaml
Version1.0.3
Arm template9da99021-d318-4711-a78a-6dea76129b3a.json
Deploy To Azure
AWSCloudTrail
| where (EventName == "DeleteDetector" and isempty(ErrorCode) and isempty( ErrorMessage)) or (EventName == "UpdateDetector" and tostring(parse_json(RequestParameters).enable) == "false" and isempty(ErrorCode) and isempty( ErrorMessage))
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")

entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  - columnName: RecipientAccountId
    identifier: CloudAppAccountId
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
triggerOperator: gt
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDutyDisabled.yaml
alertDetailsOverride:
  alertDescriptionFormat: AWS GuardDuty detector activity {{EventName}} was detected for {{AccountName}} from {{SourceIpAddress}}.
  alertDisplayNameFormat: AWS GuardDuty detector disabled or suspended by {{AccountName}}
version: 1.0.3
query: |
  AWSCloudTrail
  | where (EventName == "DeleteDetector" and isempty(ErrorCode) and isempty( ErrorMessage)) or (EventName == "UpdateDetector" and tostring(parse_json(RequestParameters).enable) == "false" and isempty(ErrorCode) and isempty( ErrorMessage))
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")  
triggerThreshold: 0
relevantTechniques:
- T1562
queryPeriod: 1d
status: Available
severity: High
kind: Scheduled
customDetails:
  SourceIpAddress: SourceIpAddress
  UserName: UserName
  EventName: EventName
  UserIdentityArn: UserIdentityArn
name: AWSCloudTrail - AWS GuardDuty detector disabled or suspended
queryFrequency: 1d
id: 9da99021-d318-4711-a78a-6dea76129b3a
description: |
    Identifies AWS GuardDuty detectors being disabled or suspended. This behavior can indicate defense evasion and should be validated with the initiating identity and approved administrative activity.
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS