AWS GuardDuty Detection Suppression

Last updated 6 days ago on 2026-07-13
Created 6 days ago on 2026-07-13

About

Identifies attempts to suppress or blind Amazon GuardDuty without deleting the detector outright. Adversaries with GuardDuty permissions can create or update a trusted IP set (CreateIPSet/UpdateIPSet) so that traffic from listed addresses is never flagged, tamper with the threat intelligence feed used to generate findings (CreateThreatIntelSet/UpdateThreatIntelSet), or soft-disable the detector via UpdateDetector with Enable set to false. All three techniques leave the detector itself intact, evading detections that only look for detector deletion.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS GuardDutyUse Case: Threat DetectionTactic: Defense EvasionLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

False Positive Examples
Security teams may legitimately register trusted IP ranges (VPNs, scanners, NAT gateways) or update threat intelligence feeds as part of normal GuardDuty tuning. Verify whether the user identity, user agent, and/or hostname should be making changes to GuardDuty configuration. If known behavior is causing false positives, it can be exempted from the rule.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset: "aws.cloudtrail" and event.provider: "guardduty.amazonaws.com" and event.outcome: "success" and ( (event.action: ("CreateIPSet" or "UpdateIPSet" or "CreateThreatIntelSet" or "UpdateThreatIntelSet") and aws.cloudtrail.flattened.request_parameters.activate: (true or "true")) or (event.action: "UpdateDetector" and aws.cloudtrail.flattened.request_parameters.enable: (false or "false")) )

Install detection rules in Elastic Security

Detect AWS GuardDuty Detection Suppression in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).