Merge branch 'main' into 5355-fr-esql-remote-validation-support-newline-split-indices

eric-forte-elastic · web-flow · commit 88cffa57d25b · 2025-11-24T11:06:02.000-05:00
diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
@@ -2,13 +2,16 @@
 creation_date = "2020/05/28"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/11/12"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and
-all existing findings are lost.
+Detects the deletion of an Amazon GuardDuty detector. GuardDuty provides continuous monitoring for malicious or
+unauthorized activity across AWS accounts. Deleting the detector disables this visibility, stopping all threat detection
+and removing existing findings. Adversaries may delete GuardDuty detectors to impair security monitoring and evade
+detection during or after an intrusion. This rule identifies successful "DeleteDetector" API calls and can indicate a
+deliberate defense evasion attempt.
 """
 false_positives = [
     """
@@ -17,64 +20,99 @@ false_positives = [
     should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-60m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
-interval = "10m"
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS GuardDuty Detector Deletion"
 note = """## Triage and analysis
 
 > **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. 
+> While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
 ### Investigating AWS GuardDuty Detector Deletion
 
-AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in AWS environments. Deleting a GuardDuty detector halts this monitoring, potentially concealing malicious actions. Adversaries may exploit this by deleting detectors to evade detection. The detection rule identifies successful deletion events, signaling potential defense evasion attempts, and is crucial for maintaining security visibility.
+Amazon GuardDuty is a continuous threat detection service that analyzes CloudTrail, DNS, and VPC Flow Logs to identify malicious activity and compromised resources. Deleting a GuardDuty detector stops this monitoring entirely and permanently removes all historical findings for the affected AWS account. This rule detects successful `DeleteDetector` API calls, which may represent an attacker attempting to impair defenses and evade detection. Such actions should be rare and always performed under controlled administrative change processes.
 
-### Possible investigation steps
+#### Possible investigation steps
 
-- Review the CloudTrail logs for the specific event.provider:guardduty.amazonaws.com and event.action:DeleteDetector to identify the user or role responsible for the deletion.
-- Check the event.outcome:success to confirm the deletion was successful and not an attempted action.
-- Investigate the IAM permissions and recent activity of the user or role identified to determine if the deletion was authorized or potentially malicious.
-- Examine any recent GuardDuty findings prior to the deletion to assess if there were any critical alerts that might have prompted the deletion.
-- Correlate the timing of the detector deletion with other security events or anomalies in the AWS environment to identify potential patterns or coordinated actions.
-- Review AWS CloudTrail logs for any other suspicious activities or changes in the environment around the time of the detector deletion.
+- **Identify the actor**
+  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` to determine who initiated the deletion.
+  - Verify whether this principal normally performs GuardDuty configuration or administrative tasks.
+
+- **Review request context**
+  - Check `aws.cloudtrail.request_parameters` and `cloud.region` to confirm the targeted GuardDuty detector and scope of impact.
+  - Determine whether multiple detectors or member accounts were affected (especially in delegated admin organizations).
+
+- **Analyze source and access patterns**
+  - Review `source.ip`, `user_agent.original` and `source.geo` fields for anomalous or previously unseen access locations or automation clients.
+  - Check whether the deletion occurred outside standard maintenance windows or during a concurrent suspicious activity window.
+
+- **Correlate with preceding or related activity**
+  - Search for earlier GuardDuty configuration changes:
+    - `StopMonitoringMembers`, `DisassociateMembers`, or `DeleteMembers`
+    - IAM role or policy modifications reducing GuardDuty privileges
+  - Look for other defense evasion indicators such as CloudTrail suspension, Security Hub configuration changes, or disabling of AWS Config rules.
+
+- **Review historical GuardDuty findings**
+  - Examine prior GuardDuty alerts and findings (if still retrievable) to determine whether the deletion followed significant detection activity.
+  - Use centralized logs or security data lakes to recover findings removed from the console.
 
 ### False positive analysis
 
-- Routine maintenance or administrative actions may lead to the deletion of a GuardDuty detector. Verify if the deletion aligns with scheduled maintenance or administrative tasks.
-- Automated scripts or tools used for environment cleanup might inadvertently delete detectors. Review and adjust automation scripts to prevent unintended deletions.
-- Organizational policy changes or restructuring could result in detector deletions. Ensure that policy changes are communicated and understood by all relevant teams to avoid unnecessary deletions.
-- Exclude known and authorized users or roles from triggering alerts by creating exceptions for specific IAM roles or user accounts that are responsible for legitimate detector deletions.
-- Implement logging and alerting for detector deletions to quickly identify and verify the legitimacy of the action, allowing for rapid response to potential false positives.
+- **Authorized administrative actions**
+  - Verify whether the deletion corresponds to legitimate account decommissioning, region cleanup, or migration activity.
+- **Automation or IaC**
+  - GuardDuty may be disabled temporarily during infrastructure provisioning or teardown in automated environments. 
+    Confirm via CI/CD logs or Infrastructure-as-Code templates.
+- **Organizational configuration changes**
+  - Large organizations might consolidate GuardDuty under a delegated administrator account, causing detectors to be deleted in member accounts. 
+    Validate these actions against security architecture changes.
 
 ### Response and remediation
 
-- Immediately re-enable GuardDuty in the affected AWS account to restore monitoring capabilities and ensure continuous threat detection.
-- Conduct a thorough review of CloudTrail logs to identify any unauthorized access or suspicious activities that occurred during the period when GuardDuty was disabled.
-- Isolate any compromised resources identified during the log review to prevent further unauthorized access or damage.
-- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
-- Implement additional access controls and monitoring on the AWS account to prevent unauthorized deletion of GuardDuty detectors in the future.
-- Review and update IAM policies to ensure that only authorized personnel have permissions to delete GuardDuty detectors.
-- Consider enabling AWS Config rules to monitor and alert on changes to GuardDuty configurations for proactive detection of similar incidents.
+- **Containment and restoration**
+  - If unauthorized, immediately re-enable GuardDuty in the affected account and region using the `CreateDetector` API or AWS console.
+  - Verify that findings aggregation and member account associations are restored to expected configurations.
+
+- **Investigation**
+  - Review CloudTrail for related privilege escalation or resource tampering events around the deletion time.
+  - Assess whether any attacker activity occurred during the monitoring gap between deletion and restoration.
 
-## Setup
+- **Recovery and hardening**
+  - Restrict `guardduty:DeleteDetector` permissions to a limited administrative role.
+  - Implement AWS Config rules or Security Hub controls to alert on changes to GuardDuty detectors or configuration states.
+  - Enforce least privilege IAM policies, ensuring operational automation cannot disable GuardDuty outside maintenance workflows.
+  - Document approved GuardDuty maintenance activities and correlate them with change tickets for traceability.
 
-The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+### Additional information
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
+- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
+"""
 references = [
-    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html",
     "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html",
 ]
 risk_score = 73
 rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
 severity = "high"
-tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS GuardDuty",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success
+event.dataset: aws.cloudtrail 
+  and event.provider: guardduty.amazonaws.com 
+  and event.action: DeleteDetector 
+  and event.outcome: success
 '''
 
 
@@ -96,3 +134,20 @@ id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+]
+
