UpdateDetector
AWS
UpdateDetector
Event
Updates the configuration of a GuardDuty detector, such as enabling or disabling specific threat detection data sources.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco does not fully disable GuardDuty (which would itself be loud) — he selectively turns off the S3_DATA_EVENTS and RUNTIME_MONITORING features via UpdateDetector, leaving the detector “enabled” but blind to the exact data-exfil and EC2-runtime threats GuardDuty would otherwise have detected. This is more sophisticated than a flat disable and harder to triage. T1685.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T21:27:43Z", "eventSource": "guardduty.amazonaws.com", "eventName": "UpdateDetector", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "detectorId": "abc12def34ghi56jkl78mno90pqrstu1", "enable": true, "findingPublishingFrequency": "SIX_HOURS", "features": [ {"name": "S3_DATA_EVENTS", "status": "DISABLED"}, {"name": "RUNTIME_MONITORING", "status": "DISABLED"} ] }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000111000100", "eventID": "90000000-0000-4000-8000-000111000101", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...