AWS GuardDuty threat intel set deleted

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.

Strategy

This rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:

Triage and response

  1. Determine if user: {{@userIdentity.arn}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Replace ThreatIntelSets deleted by the user with the aws-cli command create-threat-intel-set or use the AWS Console.
  1. If the API call was made by the user:
  • Determine if the user should be performing this API call and if it was an authorized change.
  • If No, see if other API calls were made by the user and determine if they warrant further investigation.