AWS WAF Rule or Rule Group Deletion

  1[metadata]
  2creation_date = "2020/06/09"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/08"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the deletion of an AWS Web Application Firewall (WAF) rule or rule group. WAF rules and rule groups enforce
 11critical protections for web applications by filtering malicious HTTP requests, blocking known attack patterns, and
 12enforcing access controls. Deleting these rules—even briefly—can expose applications to SQL injection, cross-site
 13scripting, credential-stuffing bots, or targeted exploitation. Adversaries who have gained sufficient permissions may
 14remove WAF protections as part of a broader defense evasion or impact strategy, often preceding data theft or direct
 15application compromise.
 16"""
 17false_positives = [
 18    """
 19    Routine WAF maintenance, rule lifecycle updates, or temporary rule removals during application changes may trigger
 20    this alert. Validate whether the principal, source IP, automation role, or deployment pipeline is expected to modify
 21    WAF rules. Confirm that the deletion corresponds to a documented change or deployment before taking action.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS WAF Rule or Rule Group Deletion"
 29note = """## Triage and analysis
 30
 31> **Disclaimer**:
 32> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 33
 34### Investigating AWS WAF Rule or Rule Group Deletion
 35
 36AWS WAF rules and rule groups define the security boundary for web applications by blocking malicious inputs,
 37enforcing rate-based protections, and applying managed or custom signatures. Deleting a rule or rule group immediately
 38weakens this boundary. Adversaries who obtain sufficient permissions may delete these protections to remove detection of malicious payloads prior to exploitation or erase defenses protecting high-value APIs. 
 39
 40This rule detects successful `DeleteRule` or `DeleteRuleGroup` API calls in CloudTrail.
 41
 42### Possible investigation steps
 43
 44**Identify the actor**
 45- Review `aws.cloudtrail.user_identity.arn` and `user_identity.access_key_id` to determine which principal performed the deletion.
 46- Determine whether the principal normally manages WAF resources or appears anomalous (new key, unused IAM role, unexpected federation source).
 47
 48**Inspect the request context**
 49- Review `source.address`, `source.geo` fields, and `user_agent.original` to determine if the request originated from a known enterprise IP range, a CI/CD runner or automation tool, an unfamiliar network, region, or browser/CLI pattern.
 50
 51**Understand what was deleted**
 52- Review `aws.cloudtrail.request_parameters` for `RuleId` or `RuleGroupId`, any referenced WebACLs using the rule, metadata indicating whether the deleted rule was part of production traffic control. 
 53
 54**Correlate surrounding activity**
 55- Look for adjacent CloudTrail events:
 56  - modifications to WebACLs (`UpdateWebACL`)
 57  - creation of permissive rules (`CreateRule`, `PutRule`) after deletion  
 58  - IAM privilege escalation events  
 59  - unusual S3, API Gateway, or ALB access patterns immediately after the rule deletion  
 60- Determine if deletion preceded or followed exploit attempts visible in application logs.
 61
 62**Establish operational context**
 63- Confirm whether the deletion aligns with a deployment pipeline, scheduled maintenance, rule tuning by security teams. If not, treat the event as potentially malicious.
 64
 65**Engage relevant owners**
 66- Contact application security or platform engineering teams to verify whether the rule or rule group deletion was authorized.
 67
 68### False positive analysis
 69
 70- **Authorized deployment workflows**  
 71  Some organizations rebuild WAF rules programmatically during deployments. Validate expected CI/CD service roles and event timing.
 72
 73- **Automated rule regeneration**  
 74  Certain WAF-as-code approaches temporarily delete and recreate rules. Confirm if the event corresponds to an expected automation cycle.
 75
 76- **Security team testing**  
 77  Teams may temporarily disable or remove rules during testing of new signatures or rate controls. Verify scheduling and ownership.
 78
 79- **Non-production environments**  
 80  Development or staging accounts may routinely alter WAF rules. Tune the rule by account, environment tags, or namespaces to reduce noise.
 81
 82### Response and remediation
 83
 84- **Contain the incident**
 85  - Immediately verify whether the deletion was intentional.
 86  - If unauthorized, revoke active access keys or disable implicated IAM roles/sessions.
 87
 88- **Reinstate protections**
 89  - Restore the deleted rule or rule group from infrastructure-as-code definitions, backups, or documented configuration.
 90  - Inspect associated WebACLs to ensure no additional rules were removed or modified.
 91
 92- **Investigate follow-on activity**
 93  - Review application logs for suspicious requests following WAF rule removal.
 94  - Investigate potential exploitation attempts (SQLi, XSS, API abuse, authentication bypass).
 95
 96- **Harden IAM and WAF governance**
 97  - Limit WAF deletion operations to tightly controlled IAM roles.
 98  - Enforce MFA and short session durations for privileged accounts.
 99  - Consider guardrails using AWS Config or SCPs to prevent deletion of production WAF rules.
100
101- **Post-incident improvements**
102  - Update runbooks to track planned WAF changes.
103  - Strengthen CI/CD guardrails to prevent unauthorized rule manipulation.
104  - Enhance alerting for other high-risk WAF configuration changes.
105
106### Additional information
107
108- **DeleteRule API (WAF Classic & Regional)**  
109  https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRule.html  
110- **DeleteRuleGroup API (WAFv2)**  
111  https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html   
112- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
113- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
114- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
115"""
116references = [
117    "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRule.html",
118    "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html",
119]
120risk_score = 47
121rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
122severity = "medium"
123tags = [
124    "Domain: Cloud",
125    "Data Source: AWS",
126    "Data Source: Amazon Web Services",
127    "Data Source: AWS WAF",
128    "Use Case: Network Security Monitoring",
129    "Tactic: Defense Evasion",
130    "Resources: Investigation Guide",
131]
132timestamp_override = "event.ingested"
133type = "query"
134
135query = '''
136event.dataset: aws.cloudtrail 
137    and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) 
138    and event.action: (DeleteRule or DeleteRuleGroup) 
139    and event.outcome: success
140'''
141
142
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1562"
147name = "Impair Defenses"
148reference = "https://attack.mitre.org/techniques/T1562/"
149[[rule.threat.technique.subtechnique]]
150id = "T1562.007"
151name = "Disable or Modify Cloud Firewall"
152reference = "https://attack.mitre.org/techniques/T1562/007/"
153
154
155
156[rule.threat.tactic]
157id = "TA0005"
158name = "Defense Evasion"
159reference = "https://attack.mitre.org/tactics/TA0005/"
160
161[rule.investigation_fields]
162field_names = [
163    "@timestamp",
164    "user.name",
165    "user_agent.original",
166    "source.ip",
167    "aws.cloudtrail.user_identity.arn",
168    "aws.cloudtrail.user_identity.type",
169    "aws.cloudtrail.user_identity.access_key_id",
170    "target.entity.id",
171    "event.action",
172    "event.outcome",
173    "cloud.account.id",
174    "cloud.region",
175    "aws.cloudtrail.request_parameters",
176]