Closed ianlewis-pas closed 2 years ago
Hey @ianlewis-pas, thanks for the Issue! Removing these event actions would stop the purpose of the rule? Or UpdateWebACL is generated when a rule is deleted?
Do you think that specifying a event.provider would solve this?
Sorry I wasn't very clear in my issue. Basically for me, this rule is not firing when a WAF rule or rule group is deleted from a WAF WebACL. But it is firing when a load balancer rule ie http to https redirect is deleted. When I delete a rule from a WAF WebACL the event is UpdateWebACL. Event provider note is just to be more specific/search better.
Link to rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml
Description
This rule fires also for ELB changes. I would suggest adding this to the query:
event.provider : wafv2.amazonaws.com event.action : UpdateWebACL
And removing event.action:(DeleteRule or DeleteRuleGroup)
Example Data
Example ELB false positive:
event.action : DeleteRule event.provider : elasticloadbalancing.amazonaws.com