search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.95k stars 497 forks source link

[Rule Tuning] AWS WAF Rule or Rule Group Deletion #1709

Closed ianlewis-pas closed 2 years ago

ianlewis-pas commented 2 years ago

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml

Description

This rule fires also for ELB changes. I would suggest adding this to the query:

event.provider : wafv2.amazonaws.com event.action : UpdateWebACL

And removing event.action:(DeleteRule or DeleteRuleGroup)

Example Data

Example ELB false positive:

event.action : DeleteRule event.provider : elasticloadbalancing.amazonaws.com

w0rk3r commented 2 years ago

Hey @ianlewis-pas, thanks for the Issue! Removing these event actions would stop the purpose of the rule? Or UpdateWebACL is generated when a rule is deleted?

Do you think that specifying a event.provider would solve this?

ianlewis-pas commented 2 years ago

Sorry I wasn't very clear in my issue. Basically for me, this rule is not firing when a WAF rule or rule group is deleted from a WAF WebACL. But it is firing when a load balancer rule ie http to https redirect is deleted. When I delete a rule from a WAF WebACL the event is UpdateWebACL. Event provider note is just to be more specific/search better.

SHolzhauer commented 2 years ago

Looking at the query and the AWS documentation for both WAF and ELB you shouldn't be having false positives. Granted adding the event.provider could be a preffered addition to scope it down to the correct service no matter what.

Any chance you could share the signal which triggered for you?