🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-cloudtrail-log-detections
Overview
4Dashboards
86Benchmarks
96Queries
1Variables
GitHub

Detection: WAF Web ACL Disassociated from ELB Application Load Balancer

Overview

Detect when a Web Application Firewall (WAF) ACL was disassociated from an Application Load Balancer (ALB). Disassociating a WAF ACL removes protective rules that safeguarded web applications from attacks such as SQL injection or cross-site scripting (XSS). Maintaining WAF ACL associations is critical to ensuring application security and mitigating potential threats.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.waf_web_acl_disassociated_from_elb_application_load_balancer

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.waf_web_acl_disassociated_from_elb_application_load_balancer --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'resourceArn' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*


from
  aws_cloudtrail_log
where
  event_source = 'wafv2.amazonaws.com'
  and event_name = 'DisassociateWebACL'
  and (request_parameters ->> 'resourceArn') like '%elasticloadbalancing:%:%:loadbalancer/app/%'
  and error_code is null


order by
  event_time desc;

Tags

category = Detections
mitre_attack_ids = TA0005:T1562.001
plugin = aws
service = AWS/WAF