This detection rule identifies the deletion of AWS Web Application Firewall (WAF) rules or rule groups, which may indicate defense evasion attempts by malicious actors. When attackers seek to disable security measures, they often remove or alter these configurations to make web applications vulnerable to threats such as SQL injection or cross-site scripting. The rule operates by monitoring AWS CloudTrail logs for specific deletion events associated with WAF. Investigating these deletions involves examining user identities, IP addresses, and correlating events in the CloudTrail logs to identify whether the action was authorized. The design of the rule includes measures for addressing false positives, particularly those related to authorized administrative activities that may logically lead to WAF modifications. A response framework is also provided to guide actions following detection, including immediate reviews of logs, potential restoration of deleted rules, and enhanced monitoring to prevent future occurrences.