AWS WAF Access Control List Deletion
Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/05/21"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list."
10false_positives = [
11 """
12 Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent,
13 and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should
14 be investigated. If known behavior is causing false positives, it can be exempted from the rule.
15 """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS WAF Access Control List Deletion"
23note = """## Setup
24
25The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
28 "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html",
29]
30risk_score = 47
31rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
32severity = "medium"
33tags = [
34 "Domain: Cloud",
35 "Data Source: AWS",
36 "Data Source: Amazon Web Services",
37 "Use Case: Network Security Monitoring",
38 "Tactic: Defense Evasion",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54[[rule.threat.technique.subtechnique]]
55id = "T1562.001"
56name = "Disable or Modify Tools"
57reference = "https://attack.mitre.org/techniques/T1562/001/"
58
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Options --web-acl-id (string) The WebACLId of the WebACL that you want to delete. WebACLId is returned by CreateWebACL and by ListWebACLs . --change-token (string) The value returned by the most re...
Read More -
Related rules
- AWS EC2 Network Access Control List Deletion
- AWS WAF Rule or Rule Group Deletion
- AWS CloudTrail Log Suspended
- AWS CloudWatch Alarm Deletion
- AWS Config Resource Deletion