AWS WAF Rule or Rule Group Deletion
Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/06/09"
3integration = ["aws"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group."
10false_positives = [
11 """
12 WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user
13 agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts
14 should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
15 """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS WAF Rule or Rule Group Deletion"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating AWS WAF Rule or Rule Group Deletion
29
30AWS Web Application Firewall (WAF) protects web applications by filtering and monitoring HTTP requests. Adversaries may delete WAF rules or groups to disable security measures, facilitating attacks like SQL injection or cross-site scripting. The detection rule monitors AWS CloudTrail logs for successful deletion actions, signaling potential defense evasion attempts by identifying unauthorized or suspicious deletions.
31
32### Possible investigation steps
33
34- Review the AWS CloudTrail logs to identify the user or role associated with the deletion action by examining the userIdentity field.
35- Check the event.time field in the CloudTrail logs to determine when the deletion occurred and correlate it with any other suspicious activities around the same time.
36- Investigate the source IP address and user agent from the CloudTrail logs to assess if the request originated from a known or expected location and device.
37- Verify if the deleted WAF rule or rule group was part of a critical security configuration by reviewing the AWS WAF setup and any associated documentation.
38- Contact the user or team responsible for AWS WAF management to confirm if the deletion was authorized and understand the rationale behind it.
39- Examine any recent changes in IAM policies or permissions that might have allowed unauthorized users to perform the deletion action.
40
41### False positive analysis
42
43- Routine maintenance or updates by authorized personnel can trigger rule deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
44- Automated scripts or tools used for infrastructure management might delete and recreate WAF rules as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
45- Changes in security policies or architecture might necessitate the removal of certain WAF rules. Ensure that such changes are documented and approved, and exclude these documented actions from triggering alerts.
46- Temporary rule deletions for testing purposes by security teams can be mistaken for malicious activity. Coordinate with the security team to log these activities and exclude them from detection rules.
47- Ensure that IAM roles or users with permissions to delete WAF rules are reviewed regularly. Exclude actions performed by trusted roles or users after confirming their legitimacy.
48
49### Response and remediation
50
51- Immediately review AWS CloudTrail logs to confirm the unauthorized deletion of WAF rules or rule groups and identify the source of the action, including the IAM user or role involved.
52- Reapply the deleted WAF rules or rule groups to restore the intended security posture and prevent potential attacks such as SQL injection or cross-site scripting.
53- Temporarily restrict or revoke permissions for the identified IAM user or role to prevent further unauthorized actions until a thorough investigation is completed.
54- Conduct a security review of the affected AWS environment to identify any other potential security gaps or unauthorized changes that may have occurred.
55- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
56- Implement additional monitoring and alerting for AWS WAF configuration changes to detect and respond to similar unauthorized actions promptly in the future.
57- Consider enabling AWS Config rules to continuously monitor and enforce compliance with WAF configurations, ensuring any unauthorized changes are automatically flagged.
58
59## Setup
60
61The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
62references = [
63 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
64 "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html",
65]
66risk_score = 47
67rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
68severity = "medium"
69tags = [
70 "Domain: Cloud",
71 "Data Source: AWS",
72 "Data Source: Amazon Web Services",
73 "Use Case: Network Security Monitoring",
74 "Tactic: Defense Evasion",
75 "Resources: Investigation Guide",
76]
77timestamp_override = "event.ingested"
78type = "query"
79
80query = '''
81event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
82'''
83
84
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1562"
89name = "Impair Defenses"
90reference = "https://attack.mitre.org/techniques/T1562/"
91[[rule.threat.technique.subtechnique]]
92id = "T1562.001"
93name = "Disable or Modify Tools"
94reference = "https://attack.mitre.org/techniques/T1562/001/"
95
96
97
98[rule.threat.tactic]
99id = "TA0005"
100name = "Defense Evasion"
101reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating AWS WAF Rule or Rule Group Deletion
AWS Web Application Firewall (WAF) protects web applications by filtering and monitoring HTTP requests. Adversaries may delete WAF rules or groups to disable security measures, facilitating attacks like SQL injection or cross-site scripting. The detection rule monitors AWS CloudTrail logs for successful deletion actions, signaling potential defense evasion attempts by identifying unauthorized or suspicious deletions.
Possible investigation steps
- Review the AWS CloudTrail logs to identify the user or role associated with the deletion action by examining the userIdentity field.
- Check the event.time field in the CloudTrail logs to determine when the deletion occurred and correlate it with any other suspicious activities around the same time.
- Investigate the source IP address and user agent from the CloudTrail logs to assess if the request originated from a known or expected location and device.
- Verify if the deleted WAF rule or rule group was part of a critical security configuration by reviewing the AWS WAF setup and any associated documentation.
- Contact the user or team responsible for AWS WAF management to confirm if the deletion was authorized and understand the rationale behind it.
- Examine any recent changes in IAM policies or permissions that might have allowed unauthorized users to perform the deletion action.
False positive analysis
- Routine maintenance or updates by authorized personnel can trigger rule deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
- Automated scripts or tools used for infrastructure management might delete and recreate WAF rules as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
- Changes in security policies or architecture might necessitate the removal of certain WAF rules. Ensure that such changes are documented and approved, and exclude these documented actions from triggering alerts.
- Temporary rule deletions for testing purposes by security teams can be mistaken for malicious activity. Coordinate with the security team to log these activities and exclude them from detection rules.
- Ensure that IAM roles or users with permissions to delete WAF rules are reviewed regularly. Exclude actions performed by trusted roles or users after confirming their legitimacy.
Response and remediation
- Immediately review AWS CloudTrail logs to confirm the unauthorized deletion of WAF rules or rule groups and identify the source of the action, including the IAM user or role involved.
- Reapply the deleted WAF rules or rule groups to restore the intended security posture and prevent potential attacks such as SQL injection or cross-site scripting.
- Temporarily restrict or revoke permissions for the identified IAM user or role to prevent further unauthorized actions until a thorough investigation is completed.
- Conduct a security review of the affected AWS environment to identify any other potential security gaps or unauthorized changes that may have occurred.
- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
- Implement additional monitoring and alerting for AWS WAF configuration changes to detect and respond to similar unauthorized actions promptly in the future.
- Consider enabling AWS Config rules to continuously monitor and enforce compliance with WAF configurations, ensuring any unauthorized changes are automatically flagged.
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- AWS EC2 Network Access Control List Deletion
- AWS EC2 Security Group Configuration Change
- AWS WAF Access Control List Deletion
- AWS Configuration Recorder Stopped
- AWS EC2 Full Network Packet Capture Detected