Name:Cloud Network Access Control List Deleted id:021abc51-1862-41dd-ad43-43c739c0a983 version:3 date:2024-10-17 author:Peter Gael, Splunk status:deprecated type:Anomaly Description:Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate Data_source:
search:`cloudtrail` eventName=DeleteNetworkAcl|rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`
how_to_implement:You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro. known_false_positives:It's possible that a user has legitimately deleted a network ACL. References: drilldown_searches:
: tags: analytic_story: - 'AWS Network ACL Activity' asset_type:Instance confidence:50 impact:50 message:tbd observable: name:'userName' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventName' - 'userIdentity.arn' - 'errorMessage' - 'errorCode' - 'userAgent' - 'src' - 'userName' - 'arn' risk_score:25 security_domain:network
