ArchiveFindings
AWS
ArchiveFindings
Event
Archives GuardDuty findings to suppress active security alerts from SOC visibility.
Security Context
- Archiving findings effectively hides active threats from SOC workflows by removing them from the default GuardDuty console view, allowing adversaries to operate undetected.
- Suppressing security alerts is a common defense impairment technique used after initial compromise to buy time for lateral movement and data exfiltration.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — having compromised an account that holds guardduty:ArchiveFindings (often via an over-permissive incident-response role) — bulk-archives three GuardDuty findings tied to his own activity (a Recon:IAMUser/UserPermissions finding, an UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom, and an Exfiltration:S3/AnomalousBehavior). Archived findings drop out of the default GuardDuty console view and most SIEM enrichment pipelines, buying time for the next stage.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:14:52Z", "eventSource": "guardduty.amazonaws.com", "eventName": "ArchiveFindings", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "detectorId": "60000000000040008000001010011010", "findingIds": [ "fa0b00f1ca5cade666ec0badad0badad0", "fa0b00f1ca5cade666ec0badad0badad1", "fa0b00f1ca5cade666ec0badad0badad2" ] }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000001101010", "eventID": "90000000-0000-4000-8000-000001101011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...