Update Guardduty Ip Set (aws)
| Platform | Author | Last Update |
|---|---|---|
| aws | Nick Jones | 2024-12-02 |
An adversary may attempt to alter a configured GuardDuty IP whitelist in order to whitelist systems they control and reduce the chance of malicious activity being detected.
MITRE IDs
Required Permissions
- guardduty:UpdateIPSet
Required Parameters
| Name | Type | Description | Example Value |
|---|---|---|---|
| detectorid | str | ID of the guardduty detector associated with the IP set list | 12345 |
| ipsetid | str | ID of the IP set to be updated | 12345 |
| location | str | Location of the IP whitelist | http://www.example.com |
Attacker Action
aws guardduty update-ip-set --activate --detector-id 12345 --ip-set-id 12345 --location http://www.example.comDetection Case
ELK query
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:UpdateIPSet AND eventSource:*.guardduty.amazonaws.comSigma Definition
---title: Update guardduty ip setid: 2faecc34-b0cb-4d41-872d-85186b6c2c6cstatus: experimentalauthor: Nick Jonesdate: 2024-12-02description: An adversary may attempt to alter a configured GuardDuty IP whitelist in order to whitelist systems they control and reduce the chance of malicious activity being detected.logsource: service: cloudtraildetection: selection_source: - eventSource: "*.guardduty.amazonaws.com" events: - eventName: "UpdateIPSet" condition: selection_source and eventslevel: lowtags: - attack.T1562
falsepositives: - Developers making legitimate changes to the environment. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.