UpdateFindingsFeedback
Event
Updates the feedback status on GuardDuty findings, marking them as useful or not useful.
Security Context
- Marking findings as false positives suppresses them from default GuardDuty views and can influence automated suppression rules, allowing adversaries to hide evidence of their activity from SOC analysts.
- This is a targeted defense evasion technique where an attacker with sufficient permissions manipulates the feedback mechanism designed for tuning, turning it into a tool for concealment.
Log Source
CloudTrail
Sample Event
MITRE ATT&CK Mapping
Tactics: Defense Evasion
Techniques:
- T1562.001 — Disable or Modify Tools — Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properl...