forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aws_network_acl_activity.yml
27 lines (27 loc) · 1.29 KB
/
aws_network_acl_activity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: AWS Network ACL Activity
id: 2e8948a5-5239-406b-b56b-6c50ff268af4
version: 2
date: '2018-05-21'
author: Bhavin Patel, Splunk
description: Monitor your AWS network infrastructure for bad configurations and malicious
activity. Investigative searches help you probe deeper, when the facts warrant it.
narrative: AWS CloudTrail is an AWS service that helps you enable governance, compliance,
and operational/risk auditing of your AWS account. Actions taken by a user, role,
or an AWS service are recorded as events in CloudTrail. It is crucial for a company
to monitor events and actions taken in the AWS Management Console, AWS Command Line
Interface, and AWS SDKs and APIs to ensure that your servers are not vulnerable
to attacks. This analytic story contains detection searches that leverage CloudTrail
logs from AWS to check for bad configurations and malicious activity in your AWS
network access controls.
references:
- https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html
- https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/
tags:
category:
- Cloud Security
product:
- Splunk Security Analytics for AWS
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring