AWS WAF Rule or Rule Group Deletion

Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/06/09"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group."
 10false_positives = [
 11    """
 12    WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user
 13    agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts
 14    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 15    """,
 16]
 17from = "now-60m"
 18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 19interval = "10m"
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "AWS WAF Rule or Rule Group Deletion"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating AWS WAF Rule or Rule Group Deletion
 29
 30AWS Web Application Firewall (WAF) protects web applications by filtering and monitoring HTTP requests. Adversaries may delete WAF rules or groups to disable security measures, facilitating attacks like SQL injection or cross-site scripting. The detection rule monitors AWS CloudTrail logs for successful deletion actions, signaling potential defense evasion attempts by identifying unauthorized or suspicious deletions.
 31
 32### Possible investigation steps
 33
 34- Review the AWS CloudTrail logs to identify the user or role associated with the deletion action by examining the userIdentity field.
 35- Check the event.time field in the CloudTrail logs to determine when the deletion occurred and correlate it with any other suspicious activities around the same time.
 36- Investigate the source IP address and user agent from the CloudTrail logs to assess if the request originated from a known or expected location and device.
 37- Verify if the deleted WAF rule or rule group was part of a critical security configuration by reviewing the AWS WAF setup and any associated documentation.
 38- Contact the user or team responsible for AWS WAF management to confirm if the deletion was authorized and understand the rationale behind it.
 39- Examine any recent changes in IAM policies or permissions that might have allowed unauthorized users to perform the deletion action.
 40
 41### False positive analysis
 42
 43- Routine maintenance or updates by authorized personnel can trigger rule deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
 44- Automated scripts or tools used for infrastructure management might delete and recreate WAF rules as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
 45- Changes in security policies or architecture might necessitate the removal of certain WAF rules. Ensure that such changes are documented and approved, and exclude these documented actions from triggering alerts.
 46- Temporary rule deletions for testing purposes by security teams can be mistaken for malicious activity. Coordinate with the security team to log these activities and exclude them from detection rules.
 47- Ensure that IAM roles or users with permissions to delete WAF rules are reviewed regularly. Exclude actions performed by trusted roles or users after confirming their legitimacy.
 48
 49### Response and remediation
 50
 51- Immediately review AWS CloudTrail logs to confirm the unauthorized deletion of WAF rules or rule groups and identify the source of the action, including the IAM user or role involved.
 52- Reapply the deleted WAF rules or rule groups to restore the intended security posture and prevent potential attacks such as SQL injection or cross-site scripting.
 53- Temporarily restrict or revoke permissions for the identified IAM user or role to prevent further unauthorized actions until a thorough investigation is completed.
 54- Conduct a security review of the affected AWS environment to identify any other potential security gaps or unauthorized changes that may have occurred.
 55- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
 56- Implement additional monitoring and alerting for AWS WAF configuration changes to detect and respond to similar unauthorized actions promptly in the future.
 57- Consider enabling AWS Config rules to continuously monitor and enforce compliance with WAF configurations, ensuring any unauthorized changes are automatically flagged.
 58
 59## Setup
 60
 61The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 62references = [
 63    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
 64    "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html",
 65]
 66risk_score = 47
 67rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
 68severity = "medium"
 69tags = [
 70    "Domain: Cloud",
 71    "Data Source: AWS",
 72    "Data Source: Amazon Web Services",
 73    "Use Case: Network Security Monitoring",
 74    "Tactic: Defense Evasion",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "query"
 79
 80query = '''
 81event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1562"
 89name = "Impair Defenses"
 90reference = "https://attack.mitre.org/techniques/T1562/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1562.001"
 93name = "Disable or Modify Tools"
 94reference = "https://attack.mitre.org/techniques/T1562/001/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0005"
100name = "Defense Evasion"
101reference = "https://attack.mitre.org/tactics/TA0005/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

AWS Web Application Firewall (WAF) protects web applications by filtering and monitoring HTTP requests. Adversaries may delete WAF rules or groups to disable security measures, facilitating attacks like SQL injection or cross-site scripting. The detection rule monitors AWS CloudTrail logs for successful deletion actions, signaling potential defense evasion attempts by identifying unauthorized or suspicious deletions.

  • Review the AWS CloudTrail logs to identify the user or role associated with the deletion action by examining the userIdentity field.
  • Check the event.time field in the CloudTrail logs to determine when the deletion occurred and correlate it with any other suspicious activities around the same time.
  • Investigate the source IP address and user agent from the CloudTrail logs to assess if the request originated from a known or expected location and device.
  • Verify if the deleted WAF rule or rule group was part of a critical security configuration by reviewing the AWS WAF setup and any associated documentation.
  • Contact the user or team responsible for AWS WAF management to confirm if the deletion was authorized and understand the rationale behind it.
  • Examine any recent changes in IAM policies or permissions that might have allowed unauthorized users to perform the deletion action.
  • Routine maintenance or updates by authorized personnel can trigger rule deletions. Verify if the deletion aligns with scheduled maintenance activities and consider excluding these events from alerts.
  • Automated scripts or tools used for infrastructure management might delete and recreate WAF rules as part of their normal operation. Identify these scripts and whitelist their actions to prevent unnecessary alerts.
  • Changes in security policies or architecture might necessitate the removal of certain WAF rules. Ensure that such changes are documented and approved, and exclude these documented actions from triggering alerts.
  • Temporary rule deletions for testing purposes by security teams can be mistaken for malicious activity. Coordinate with the security team to log these activities and exclude them from detection rules.
  • Ensure that IAM roles or users with permissions to delete WAF rules are reviewed regularly. Exclude actions performed by trusted roles or users after confirming their legitimacy.
  • Immediately review AWS CloudTrail logs to confirm the unauthorized deletion of WAF rules or rule groups and identify the source of the action, including the IAM user or role involved.
  • Reapply the deleted WAF rules or rule groups to restore the intended security posture and prevent potential attacks such as SQL injection or cross-site scripting.
  • Temporarily restrict or revoke permissions for the identified IAM user or role to prevent further unauthorized actions until a thorough investigation is completed.
  • Conduct a security review of the affected AWS environment to identify any other potential security gaps or unauthorized changes that may have occurred.
  • Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
  • Implement additional monitoring and alerting for AWS WAF configuration changes to detect and respond to similar unauthorized actions promptly in the future.
  • Consider enabling AWS Config rules to continuously monitor and enforce compliance with WAF configurations, ensuring any unauthorized changes are automatically flagged.

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top