Skip to main content

AWS GuardDuty threat list modified

ID:aws_guardduty_threat_list_modified
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected modifications to an AWS GuardDuty threat list using DeleteThreatIntelSet or UpdateThreatIntelSet actions. AWS GuardDuty is a threat detection service that monitors AWS accounts and workloads for malicious activity and delivers security findings. Altering an AWS GuardDuty threat list may indicate an attempt to disrupt security defenses, potentially as part of a broader attack strategy.

Impact

Threat actors may remove malicious IP addresses from AWS GuardDuty threat list or disable it, allowing their activities to go undetected.

Severity

SeverityCondition
Informational
AWS GuardDuty threat list modified
Low
AWS GuardDuty threat list disabled

Investigation and Remediation

Review AWS CloudTrail logs to identify the user or IAM role responsible for modifying the AWS GuardDuty threat list and verify whether this action was authorized. If unauthorized, restore the threat list to its previous state, rotate affected credentials, and analyze account activity to detect any signs of compromise or additional malicious actions.