Detection rules › Panther
AWS Network ACL Overly Permissive Entry Created
A Network ACL entry that allows access from anywhere was added.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098 Account Manipulation |
Rule body yaml
AnalysisType: rule
Filename: aws_network_acl_permissive_entry.py
RuleID: "AWS.CloudTrail.NetworkACLPermissiveEntry"
DisplayName: "AWS Network ACL Overly Permissive Entry Created"
Enabled: true
LogTypes:
- AWS.CloudTrail
Tags:
- AWS
- Persistence:Account Manipulation
Severity: Medium
Reports:
MITRE ATT&CK:
- TA0003:T1098
Description: >
A Network ACL entry that allows access from anywhere was added.
Runbook: >
Remove the overly permissive Network ACL entry and add a new entry with more restrictive permissions.
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules
SummaryAttributes:
- userAgent
- sourceIpAddress
- recipientAccountId
- p_any_aws_arns
Tests:
- Name: Overly Permissive Entry Added
ExpectedResult: true
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "CreateNetworkAclEntry",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"aclProtocol": "6",
"cidrBlock": "0.0.0.0/0",
"egress": false,
"icmpTypeCode": {},
"networkAclId": "acl-1111",
"portRange": { "from": 700, "to": 702 },
"ruleAction": "allow",
"ruleNumber": 12,
},
"responseElements": { "_return": true, "requestId": "1111" },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Not Overly Permissive Entry Added
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"eventID": "1111",
"eventName": "CreateNetworkAclEntry",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"aclProtocol": "6",
"cidrBlock": "111.111.111.111/32",
"egress": false,
"icmpTypeCode": {},
"networkAclId": "acl-1111",
"portRange": { "from": 700, "to": 702 },
"ruleAction": "allow",
"ruleNumber": 12,
},
"responseElements": { "_return": true, "requestId": "1111" },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
- Name: Error Adding Overly Permissive Entry
ExpectedResult: false
Log:
{
"awsRegion": "us-west-2",
"errorCode": "ValidationError",
"eventID": "1111",
"eventName": "CreateNetworkAclEntry",
"eventSource": "ec2.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsApiCall",
"eventVersion": "1.05",
"recipientAccountId": "123456789012",
"requestID": "1111",
"requestParameters":
{
"aclProtocol": "6",
"cidrBlock": "0.0.0.0/0",
"egress": false,
"icmpTypeCode": {},
"networkAclId": "acl-1111",
"portRange": { "from": 700, "to": 702 },
"ruleAction": "allow",
"ruleNumber": 12,
},
"responseElements": { "_return": true, "requestId": "1111" },
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla/2.0 (compatible; NEWT ActiveX; Win32)",
"userIdentity":
{
"accessKeyId": "1111",
"accountId": "123456789012",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-user",
"principalId": "1111",
"sessionContext":
{
"attributes":
{
"creationDate": "2019-01-01T00:00:00Z",
"mfaAuthenticated": "true",
},
"sessionIssuer":
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/example-role",
"principalId": "1111",
"type": "Role",
"userName": "example-role",
},
"webIdFederationData": {},
},
"type": "AssumedRole",
},
}
Detection logic
Condition
not (errorCode is_not_null or errorMessage is_not_null or eventName ne "CreateNetworkAclEntry")
requestParameters.cidrBlock eq "0.0.0.0/0"
requestParameters.ruleAction eq "allow"
requestParameters.egress eq "False"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
errorCode | is_not_null | |
errorMessage | is_not_null | |
eventName | ne | CreateNetworkAclEntry |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
requestParameters.cidrBlock | eq |
|
requestParameters.egress | eq |
|
requestParameters.ruleAction | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
eventName |
eventSource |
awsRegion |
recipientAccountId |
sourceIPAddress |
userAgent |
userIdentity |