Cloud Network Access Control List Deleted

Description

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs.

SPL Difficulty

None

Journey

Stage 3

Data Sources

AWS
Audit Trail

   Help

Cloud Network Access Control List Deleted Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the cloud_network_access_control_list_deleted_filter macro.

   Search

Open in Search