Link Search Menu Expand Document

AWS_NACL_Permissive_Entry

ID: 100147

Description:

A user created a new network ACL entry allowing traffic from anywhere

Repository: Group: AWS Type: event

Default Status:

Enabled

Tags:
AWS
 

Selector:

Query:

Filters:

Field MUST hit
@cloudtrail.eventName CreateNetworkAclEntry
@cloudtrail.requestParameters.cidrBlock 0.0.0.0/0
@cloudtrail.requestParameters.ruleAction allow
@cloudtrail.requestParameters.egress False
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@cloudtrail.userIdentity.arn username  

Risks:

Risks Base Score Dimension
Timeline 0 -

Attributes:

Alias Key
Username @cloudtrail.userIdentity.sessionContext.sessionIssuer.userName
ARN @cloudtrail.userIdentity.arn
Type @cloudtrail.userIdentity.type

Correlation Rules:

First Occurrence:

Name Window Fields
NewUser 10 days @cloudtrail.userIdentity.sessionContext.sessionIssuer.userName
  Risks: ML_NEW_USER

History:

User Date
em*n@fluencysecurity.com 2020 Dec 10 02:37:11 EST
em*n@fluencysecurity.com 2021 Jan 28 14:02:22 EST

This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)