AWS WAF Rule or Rule Group Deletion
Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/06/09"
3integration = ["aws"]
4maturity = "production"
5min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0"
6min_stack_version = "8.9.0"
7updated_date = "2024/04/14"
8
9[rule]
10author = ["Elastic"]
11description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group."
12false_positives = [
13 """
14 WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user
15 agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts
16 should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
17 """,
18]
19from = "now-60m"
20index = ["filebeat-*", "logs-aws.cloudtrail-*"]
21interval = "10m"
22language = "kuery"
23license = "Elastic License v2"
24name = "AWS WAF Rule or Rule Group Deletion"
25note = """## Setup
26
27The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28references = [
29 "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
30 "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html",
31]
32risk_score = 47
33rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
34severity = "medium"
35tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1562"
48name = "Impair Defenses"
49reference = "https://attack.mitre.org/techniques/T1562/"
50[[rule.threat.technique.subtechnique]]
51id = "T1562.001"
52name = "Disable or Modify Tools"
53reference = "https://attack.mitre.org/techniques/T1562/001/"
54
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Description Note This is AWS WAF Classic documentation. For more information, see AWS WAF Classic in the developer guide. For the latest version of AWS WAF , use the AWS WAFV2 API and see the AWS W...
Read More -
Permanently deletes a . You can't delete a RuleGroup if it's still used in any WebACL objects or if it still includes any rules.
Read More
Related rules
- AWS EC2 Network Access Control List Deletion
- AWS WAF Access Control List Deletion
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudWatch Alarm Deletion