From 94974c38953dffc174ccc37404f6f0ef7fe928da Mon Sep 17 00:00:00 2001 From: Craig Chamberlain Date: Tue, 7 Jul 2020 16:29:32 -0400 Subject: [PATCH] Detect DeleteRule events with AWS WAF Deletion Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com> --- ...vasion_waf_rule_or_rule_group_deletion.toml} | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) rename rules/aws/{defense_evasion_waf_rule_group_deletion.toml => defense_evasion_waf_rule_or_rule_group_deletion.toml} (64%) diff --git a/rules/aws/defense_evasion_waf_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml similarity index 64% rename from rules/aws/defense_evasion_waf_rule_group_deletion.toml rename to rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index cdcd6b99b..750fb1348 100644 --- a/rules/aws/defense_evasion_waf_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,24 +2,24 @@ creation_date = "2020/06/09" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/09" +updated_date = "2020/07/07" [rule] author = ["Elastic"] -description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule group." +description = "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group." false_positives = [ """ - Firewall rule groups may be deleted by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Rule group deletions from unfamiliar users or - hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts + should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-20m" +from = "now-60m" index = ["filebeat-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "AWS WAF Rule Group Deletion" +name = "AWS WAF Rule or Rule Group Deletion" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html", @@ -31,7 +31,7 @@ tags = ["AWS", "Elastic"] type = "query" query = ''' -event.action:DeleteRuleGroup and event.dataset:aws.cloudtrail and event.outcome:success +event.module:aws and event.dataset:aws.cloudtrail and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success ''' @@ -47,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1089/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -