aws_network_acl.yml

category:
  - Cloud Security
channel: ESCU
creation_date: '2018-01-10'
description: Monitor your AWS network infrastructure for bad configurations and malicious
  activity. Investigative searches help you probe deeper, when the facts warrant it.
detections:
  - detection_id: ada0f478-84a8-4641-a3f1-d82362d6bd75
    name: AWS Network Access Control List Created with All Open Ports
    type: splunk
  - detection_id: ada0f478-84a8-4641-a3f1-d82362d6fd75
    name: AWS Network Access Control List Deleted
    type: splunk
  - detection_id: ada0f278-84a8-46w1-a3f1-w32372d4bd53
    name: Detect Spike in blocked Outbound Traffic from your AWS
    type: splunk
  - detection_id: ada0f478-84a8-4641-a1f1-e32372d4bd53
    name: Detect Spike in Network ACL Activity
    type: splunk
id: 2e8948a5-5239-406b-b56b-6c50ff268af4
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
modification_date: '2018-05-21'
name: AWS Network ACL Activity
narrative: AWS CloudTrail is an AWS service that helps you enable governance, compliance,
  and operational/risk auditing of your AWS account. Actions taken by a user, role,
  or an AWS service are recorded as events in CloudTrail. It is crucial for a company
  to monitor events and actions taken in the AWS Management Console, AWS Command Line
  Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable
  to attacks. This analytic story contains detection searches that leverage CloudTrail
  logs from AWS to check for bad configurations and malicious activity in your AWS
  network access controls.
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references:
  - https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html
  - https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/
spec_version: 2
usecase: Security Monitoring
version: '2.0'