Rules: AWS WAF Access Control List Updated
Detects the AWS WAF UpdateWebACL API action. UpdateWebACL updates the specified WebACL. A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Defense Evasion |
| Apply Risk to Entities | device_ip, user_username, srcDevice_ip, device_hostname, srcDevice_hostname |
| Signal Name | AWS WAF Access Control List Updated |
| Summary Expression | {{action}} performed by user: {{user_username}} |
| Score/Severity | Static: 2 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0005, _mitreAttackTechnique:T1562, _mitreAttackTechnique:T1562.007 |
| Origin | Field |
|---|---|
| Normalized Schema | action |
| Normalized Schema | application |
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | listMatches |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |