...
| Code Block |
|---|
/* A malicious user has gained access to WAF configuration. The user has created a rule which has blocked critical traffic. Identify new rules which are blocking lots of traffic so they can be removed. */ from cloud.aws.waf.logs where eq(action,"BLOCK") group by terminatingRuleId select count() as requests_blocked, first(eventdate) as rule_started where rule_started>today()-7d //recently created rule |
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query
...