DeleteRuleGroup
AWS
DeleteRuleGroup
Event
Permanently deletes a WAF rule group containing a set of web traffic filtering rules.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco deletes the BILLYWIG ingress rule group (billywig-public-ingress-rg) used by the public API edge before he attempts a credential-stuffing burst against /login. Removing the WAF rule group eliminates the rate-based and bot-control rules that would have throttled him. T1685.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T19:02:11Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T20:08:42Z", "eventSource": "wafv2.amazonaws.com", "eventName": "DeleteRuleGroup", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "name": "billywig-public-ingress-rg", "scope": "REGIONAL", "id": "60000000-0000-4000-8000-000011111100", "lockToken": "a1b2c3d4-5678-90ab-cdef-1234567890ab" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000011111010", "eventID": "90000000-0000-4000-8000-000011111011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "wafv2.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...