AWS GuardDuty threat list disabled
Description
AlphaSOC detected modifications to an AWS GuardDuty threat list using
DeleteThreatIntelSet
or UpdateThreatIntelSet
actions. AWS GuardDuty is a threat
detection service that monitors AWS accounts and workloads for malicious
activity and delivers security findings. Altering an AWS GuardDuty threat list
may indicate an attempt to disrupt security defenses, potentially as part of a
broader attack strategy.
Impact
Threat actors may remove malicious IP addresses from AWS GuardDuty threat list or disable it, allowing their activities to go undetected.
Severity
Severity | Condition |
---|---|
Informational | AWS GuardDuty threat list modified |
Low | AWS GuardDuty threat list disabled |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or IAM role responsible for modifying the AWS GuardDuty threat list and verify whether this action was authorized. If unauthorized, restore the threat list to its previous state, rotate affected credentials, and analyze account activity to detect any signs of compromise or additional malicious actions.