Detect Spike In Network ACL Activity

Description

This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Cloud Security, SaaS

Alert Volume

This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Impair Defenses

Disable or Modify Cloud Firewall

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Audit Trail

   Help

Detect Spike In Network ACL Activity Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify dataPointThreshold and deviationThreshold to better fit your environment. The dataPointThreshold variable is the minimum number of data points required to have a statistically significant amount of data to determine. The deviationThreshold variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro network_acl_events.

   Search

Open in Search