Skip to main content

AWS GuardDuty disabled

ID:aws_guardduty_disabled
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected that AWS GuardDuty was disabled. AWS GuardDuty is a threat detection service that monitors AWS accounts and workloads for malicious activity and delivers security findings. Disabling it may indicate that threat actors are attempting to disrupt defensive mechanisms, potentially as part of a broader attack strategy.

Impact

Disabling AWS GuardDuty reduces the ability to detect and respond to security threats in the AWS environment, increasing the risk of unauthorized access, data exfiltration, and resource abuse.

Severity

SeverityCondition
Medium
AWS GuardDuty was disabled

Investigation and Remediation

Review AWS CloudTrail logs to identify the user or IAM role responsible for disabling AWS GuardDuty and verify whether this action was authorized. If unauthorized, re-enable AWS GuardDuty, rotate affected credentials, and analyze account activity to detect any signs of compromise or additional malicious actions.

Further Reading