UpdateFindingsFeedback
AWS
UpdateFindingsFeedback
Event
Updates the feedback status on GuardDuty findings, marking them as useful or not useful.
Security Context
- Marking findings as false positives suppresses them from default GuardDuty views and can influence automated suppression rules, allowing adversaries to hide evidence of their activity from SOC analysts.
- This is a targeted defense impairment technique where an attacker with sufficient permissions manipulates the feedback mechanism designed for tuning, turning it into a tool for concealment.
Log Source
CloudTrail
Sample Event
Adversarial. Draco marks two of his own findings as NOT_USEFUL — the GuardDuty Recon:IAMUser/UserPermissions and Persistence:IAMUser/AnomalousBehavior findings that fired earlier in the kill chain. Marking findings as NOT_USEFUL doesn’t archive them but suppresses them from default views and trains GuardDuty’s machine-learning suppression heuristics. T1685.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T21:36:50Z", "eventSource": "guardduty.amazonaws.com", "eventName": "UpdateFindingsFeedback", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "detectorId": "abc12def34ghi56jkl78mno90pqrstu1", "findingIds": [ "f2c0a4d4e5b6a7c8d9e0f1a2b3c4d5e6", "a3d1b5e5f6c7b8d9e0f1a2b3c4d5e6f7" ], "feedback": "NOT_USEFUL", "comments": "false positive — internal pentest" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000111001000", "eventID": "90000000-0000-4000-8000-000111001001", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...