LoFP / authorized administrators may delete web acls as part of planned migrations, infrastructure refactoring, or automation-driven redeployments. ensure the deletion aligns with approved change requests, maintenance windows, or known iac workflows. deletions performed by unfamiliar users, unusual identities, or unexpected automation should be investigated.

Techniques

• T1562

Sample rules

AWS WAF Access Control List Deletion

• source: elastic
• technicques:
  • T1562

Description

Identifies the deletion of an AWS Web Application Firewall (WAF) Web ACL. Web ACLs are the core enforcement objects in AWS WAF, defining which traffic is inspected, allowed, or blocked for protected applications. Deleting a Web ACL removes all associated rules, protections, and logging configurations. Adversaries who obtain sufficient privileges may delete a Web ACL to disable critical security controls, evade detection, or prepare for downstream attacks such as web-application compromise, data theft, or resource abuse. Because Web ACLs are rarely deleted outside of controlled maintenance or infrastructure updates, unexpected deletions may indicate potential defense evasion.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: (waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com)
    and event.action: DeleteWebACL 
    and event.outcome: success