AWS GuardDuty publishing destination deleted
Description
AlphaSOC detected that an AWS GuardDuty publishing destination was deleted using
the DeletePublishingDestination action. This action disables the export of AWS
GuardDuty findings to other AWS services and may potentially be used by threat
actors to hinder security monitoring and evade detection by preventing GuardDuty
findings from being exported and analyzed.
Impact
Deleting a GuardDuty publishing destination can impair an organization's ability to monitor and respond to security threats. It may result in delayed incident response and increased vulnerability to ongoing or future attacks.
Severity
| Severity | Condition |
|---|---|
High | AWS GuardDuty publishing destination deleted |
Investigation and Remediation
Review the AWS CloudTrail logs to identify the user or role responsible for the
DeletePublishingDestination action. Verify whether the action was authorized.
If unauthorized, revoke any potentially compromised credentials, recreate the
publishing destination, and conduct a thorough security assessment of the AWS
environment.