ArchiveFindings
Event
Archives GuardDuty findings to suppress active security alerts from SOC visibility.
Security Context
- Archiving findings effectively hides active threats from SOC workflows by removing them from the default GuardDuty console view, allowing adversaries to operate undetected.
- Suppressing security alerts is a common defense evasion technique used after initial compromise to buy time for lateral movement and data exfiltration.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1562.001 — Disable or Modify Tools — Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properl...