security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Detect DeleteRule events with AWS WAF Deletion

Browse Source 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
This commit is contained in:
Craig Chamberlain
2020-07-07 16:29:32 -04:00
committed by Ross Wolf
parent ee82874c24
commit 94974c3895
1 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/aws/defense_evasion_waf_rule_group_deletion.toml → rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
+8 -9
View File
@@ -2,24 +2,24 @@
creation_date = "2020/06/09"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/06/09"
updated_date = "2020/07/07"
[rule]
author = ["Elastic"]
description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule group."
description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group."
false_positives = [
"""
Firewall rule groups may be deleted by a system or network administrator. Verify whether the user identity, user
agent, and/or hostname should be making changes in your environment. Rule group deletions from unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user
agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts
should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-20m"
from = "now-60m"
index = ["filebeat-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "AWS WAF Rule Group Deletion"
name = "AWS WAF Rule or Rule Group Deletion"
references = [
"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html",
"https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html",
@@ -31,7 +31,7 @@ tags = ["AWS", "Elastic"]
type = "query"
query = '''
event.action:DeleteRuleGroup and event.dataset:aws.cloudtrail and event.outcome:success
event.module:aws and event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success
'''
@@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1089/"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"