From 2ed97d2e8c38fe776b16a316a2d048cdb0ec52ca Mon Sep 17 00:00:00 2001
From: Stijn Holzhauer <stijnholzhauer+git@gmail.com>
Date: Wed, 23 Mar 2022 00:36:53 +0100
Subject: [PATCH] [Rule Tuning] Adding event.provider to AWS WAF Rule or Rule
 Group Deletion (#1833)

* Adding event.provider

* Removing new line

* Updating updated_date field

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 .../aws/defense_evasion_waf_rule_or_rule_group_deletion.toml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
index 16ec8ceed..1714eb4fa 100644
--- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
+++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/06/09"
 maturity = "production"
-updated_date = "2021/07/20"
+updated_date = "2022/03/11"
 integration = "aws"
 
 [rule]
@@ -35,7 +35,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
+event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
 '''
 
 
@@ -56,4 +56,3 @@ reference = "https://attack.mitre.org/techniques/T1562/001/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-