AWS WAF web access control list deleted

cloudtrail

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.

Strategy

The rule monitors AWS WAF logs @eventSource:waf*.amazonaws.com and detects when the @evt.name is DeleteWebACL.

Triage and response

  1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@userIdentity.accountId}}.
  2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.