detection.wiki

Detection rules › Panther

AWS GuardDuty Enabled

Severity
high
Tags
AWS, Security Control, Defense Evasion:Impair Defenses, Configuration Required
Reference
https://aws.amazon.com/guardduty/
Source
github.com/panther-labs/panther-analysis

GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.

MITRE ATT&CK coverage

TacticTechniques
StealthT1562 Impair Defenses

Rule body yaml

AnalysisType: policy
Filename: aws_guardduty_enabled.py
PolicyID: "AWS.GuardDuty.Enabled"
DisplayName: "AWS GuardDuty Enabled"
Enabled: true
ResourceTypes:
  - AWS.GuardDuty.Detector.Meta
Tags:
  - AWS
  - Security Control
  - Defense Evasion:Impair Defenses
  - Configuration Required
Reports:
  MITRE ATT&CK:
    - TA0005:T1562
Severity: High
Description: >
  GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.
Runbook: >
  https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-guardduty-is-enabled
Reference: https://aws.amazon.com/guardduty/
Tests:
  - Name: Detectors Do Not Exist
    ExpectedResult: false
    Resource:
      {
        "AccountId": "123456789012",
        "Region": "global",
        "Tags": null,
        "ResourceId": "123456789012::AWS.GuardDuty.Detector.Meta",
        "ResourceType": "AWS.GuardDuty.Detector.Meta",
        "TimeCreated": null,
        "Detectors": [],
      }
  - Name: Detectors Exist
    ExpectedResult: true
    Resource:
      {
        "AccountId": "123456789012",
        "Region": "global",
        "Tags": null,
        "ResourceId": "123456789012::AWS.GuardDuty.Detector.Meta",
        "ResourceType": "AWS.GuardDuty.Detector.Meta",
        "TimeCreated": null,
        "Detectors":
          [
            "123456789012:ap-southeast-2:AWS.GuardDuty.Detector",
            "123456789012:eu-central-1:AWS.GuardDuty.Detector",
            "123456789012:us-west-2:AWS.GuardDuty.Detector",
          ],
      }
  - Name: Detectors Exist But Not in Required Regions
    ExpectedResult: false
    Resource:
      {
        "AccountId": "123456789012",
        "Region": "global",
        "Tags": null,
        "ResourceId": "123456789012::AWS.GuardDuty.Detector.Meta",
        "ResourceType": "AWS.GuardDuty.Detector.Meta",
        "TimeCreated": null,
        "Detectors":
          [
            "123456789012:ap-southeast-2:AWS.GuardDuty.Detector",
            "123456789012:eu-central-1:AWS.GuardDuty.Detector",
          ],
      }

Detection logic

Rule logic imperative Python

REGIONS_REQUIRED = {
    "us-west-2",
}
def policy(resource):
    regions_enabled = [detector.split(":")[1] for detector in resource["Detectors"]]
    for region in REGIONS_REQUIRED:
        if region not in regions_enabled:
            return False
    return True

The parser cannot express this rule's logic as a field filter; the imperative Python above is the detection.