Try in Splunk Security Cloud


Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.

  • Type: Anomaly
  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-01-12
  • Author: Bhavin Patel, Patrick Bareiss, Splunk
  • ID: ada0f478-84a8-4641-a3f1-d82362d6fd75


ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion
T1562 Impair Defenses Defense Evasion
`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `aws_network_access_control_list_deleted_filter`

Associated Analytic Story

How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.

Required field

  • _time
  • eventName
  • requestParameters.egress
  • userName
  • userIdentity.principalId
  • src
  • userAgent

Kill Chain Phase

  • Actions on Objectives

Known False Positives

It's possible that a user has legitimately deleted a network ACL.


Risk Score Impact Confidence Message
5.0 10 50 User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2