network acl's may be deleted by a network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. network acl deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

t1562
aws
elastic

Techniques

T1562

Sample rules

AWS EC2 Network Access Control List Deletion

source: elastic
technicques:
- T1562

Description

Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.

Detection logic

event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success