IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
AWS WAF Access Control List Deletion
editAWS WAF Access Control List Deletion
editIdentifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.
Rule type: query
Rule indices:
- filebeat-*
- logs-aws*
Severity: medium
Risk score: 47
Runs every: 10m
Searches indices from: now-60m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: AWS
- Data Source: Amazon Web Services
- Use Case: Network Security Monitoring
- Tactic: Defense Evasion
Version: 105
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editevent.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
-
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/