New Network ACL Entry Added

Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.

Sigma rule (View on GitHub)

 1title: New Network ACL Entry Added
 2id: e1f7febb-7b94-4234-b5c6-00fb8500f5dd
 3status: test
 4description: |
 5        Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
 6references:
 7    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
 8author: jamesc-grafana
 9date: 2024/07/11
10tags:
11    - attack.initial_access
12    - attack.t1190
13logsource:
14    product: aws
15    service: cloudtrail
16detection:
17    selection:
18        eventSource: 'ec2.amazonaws.com'
19        eventName: 'CreateNetworkAclEntry'
20    condition: selection
21falsepositives:
22    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC
23level: low

References

Related rules

to-top