LoFP / it's possible that a user has legitimately deleted a network acl.

Techniques

• T1562.007

Sample rules

ASL AWS Network Access Control List Deleted

• source: splunk
• technicques:
  • T1562.007

Description

The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.

Detection logic

`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Success 
| spath input=api.request.data path=egress output=egress 
| spath input=api.request.data path=networkAclId output=networkAclId 
| search egress=false 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId 
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `asl_aws_network_access_control_list_deleted_filter`

AWS Network Access Control List Deleted

• source: splunk
• technicques:
  • T1562.007

Description

The following analytic detects the deletion of AWS Network Access Control Lists (ACLs). It leverages AWS CloudTrail logs to identify events where a user deletes a network ACL entry. This activity is significant because deleting a network ACL can remove critical access restrictions, potentially allowing unauthorized access to cloud instances. If confirmed malicious, this action could enable attackers to bypass network security controls, leading to unauthorized access, data exfiltration, or further compromise of the cloud environment.

Detection logic

`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false 
| fillnull 
| rename user_name as user 
| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_network_access_control_list_deleted_filter`