Skip to content

UpdateFindingsFeedback

AWS

UpdateFindingsFeedback

service: AWS - GuardDuty
techniques:

Event

Updates the feedback status on GuardDuty findings, marking them as useful or not useful.

Security Context

  • Marking findings as false positives suppresses them from default GuardDuty views and can influence automated suppression rules, allowing adversaries to hide evidence of their activity from SOC analysts.
  • This is a targeted defense impairment technique where an attacker with sufficient permissions manipulates the feedback mechanism designed for tuning, turning it into a tool for concealment.

Log Source

CloudTrail

Sample Event

Adversarial. Draco marks two of his own findings as NOT_USEFUL — the GuardDuty Recon:IAMUser/UserPermissions and Persistence:IAMUser/AnomalousBehavior findings that fired earlier in the kill chain. Marking findings as NOT_USEFUL doesn’t archive them but suppresses them from default views and trains GuardDuty’s machine-learning suppression heuristics. T1685.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T21:36:50Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "UpdateFindingsFeedback",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "abc12def34ghi56jkl78mno90pqrstu1",
"findingIds": [
"f2c0a4d4e5b6a7c8d9e0f1a2b3c4d5e6",
"a3d1b5e5f6c7b8d9e0f1a2b3c4d5e6f7"
],
"feedback": "NOT_USEFUL",
"comments": "false positive — internal pentest"
},
"responseElements": null,
"requestID": "90000000-0000-4000-8000-000111001000",
"eventID": "90000000-0000-4000-8000-000111001001",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...