< Back to rules searchAWS WAF web access control list deleted
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.
Strategy
The rule monitors AWS WAF logs @eventSource:waf*.amazonaws.com
and detects when the @evt.name
is DeleteWebACL
.
Triage and response
- Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.
- If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.