AWS WAF web access control list deleted



Detect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.


The rule monitors AWS WAF logs @eventSource:waf* and detects when the is DeleteWebACL.

Triage and response

  1. Determine if {{@userIdentity.arn}} is expected to perform the {{}} API call on the account: {{@userIdentity.accountId}}.
  2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.