AWS_NACL_Permissive_Entry
ID: 100147
Description:
A user created a new network ACL entry allowing traffic from anywhere
Repository: Group: AWS Type: event
Default Status:
Enabled
Tags: |
---|
AWS |
Selector:
Query:
Filters:
Field | MUST hit |
---|---|
@cloudtrail.eventName | CreateNetworkAclEntry |
@cloudtrail.requestParameters.cidrBlock | 0.0.0.0/0 |
@cloudtrail.requestParameters.ruleAction | allow |
@cloudtrail.requestParameters.egress | False |
Field | MUST NOT hit |
---|---|
Behavior Rule:
Key | Type | Behavior Category |
---|---|---|
@cloudtrail.userIdentity.arn | username |
Risks:
Risks | Base Score | Dimension |
---|---|---|
Timeline | 0 | - |
Attributes:
Alias | Key |
---|---|
Username | @cloudtrail.userIdentity.sessionContext.sessionIssuer.userName |
ARN | @cloudtrail.userIdentity.arn |
Type | @cloudtrail.userIdentity.type |
Correlation Rules:
First Occurrence:
Name | Window | Fields |
---|---|---|
NewUser | 10 days | @cloudtrail.userIdentity.sessionContext.sessionIssuer.userName |
Risks: | ML_NEW_USER |
History:
User | Date |
---|---|
em*n@fluencysecurity.com | 2020 Dec 10 02:37:11 EST |
em*n@fluencysecurity.com | 2021 Jan 28 14:02:22 EST |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)