Name:AWS Network Access Control List Deleted id:ada0f478-84a8-4641-a3f1-d82362d6fd75 version:4 date:2024-09-30 author:Bhavin Patel, Patrick Bareiss, Splunk status:production type:Anomaly Description:The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment. Data_source:
-AWS CloudTrail DeleteNetworkAclEntry
search:`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`
how_to_implement:You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. known_false_positives:It's possible that a user has legitimately deleted a network ACL. References: drilldown_searches: name:'View the detection results for - "$user_arn$"' search:'%original_detection_search% | search user_arn = "$user_arn$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user_arn$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'AWS Network ACL Activity' asset_type:AWS Instance confidence:50 impact:10 message:User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere mitre_attack_id: - 'T1562.007' - 'T1562' observable: name:'src' type:'IP Address' - role: - 'Attacker' name:'user_arn' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventName' - 'requestParameters.egress' - 'userName' - 'userIdentity.principalId' - 'src' - 'userAgent' risk_score:5 security_domain:network
