forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_waf_acl_deletion.toml
51 lines (44 loc) · 1.61 KB
/
defense_evasion_waf_acl_deletion.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
[metadata]
creation_date = "2020/05/21"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/03"
[rule]
author = ["Elastic"]
description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list."
false_positives = [
"""
Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent,
and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-60m"
index = ["filebeat-*", "logs-aws*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS WAF Access Control List Deletion"
note = "The AWS Filebeat module must be enabled to use this rule."
references = [
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html",
"https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html",
]
risk_score = 47
rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
severity = "medium"
tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
type = "query"
query = '''
event.action:DeleteWebACL and event.dataset:aws.cloudtrail and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1089"
name = "Disabling Security Tools"
reference = "https://attack.mitre.org/techniques/T1089/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"