New Network ACL Entry Added

Aug 12, 2024 · attack.initial-access attack.t1190 ·

Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

Sigma rule (View on GitHub)

 1title: New Network ACL Entry Added
 2id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
 3status: test
 4description: |
 5        Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
 6references:
 7    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
 8author: jamesc-grafana
 9date: 2024-07-11
10tags:
11    - attack.initial-access
12    - attack.t1190
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventSource: 'ec2.amazonaws.com'
19        eventName: 'CreateNetworkAclEntry'
20    condition: selection
21falsepositives:
22    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
23level: low

References

Key CloudTrail Events To Monitor for Security in AWS - GorillaStack

Learn which CloudTrail events are critical to leverage and maintain a more secure cloud infrastructure in AWS.

Read More

New Network ACL Entry Added

Sigma rule (View on GitHub)

References

Key CloudTrail Events To Monitor for Security in AWS - GorillaStack

Related rules