KQL Search

Query Details

HomeAI ToolsDevice Query

AWS Cloud Trail AWS Network ACL Open To All Ports

Query

// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html
// https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html
// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
AWSCloudTrail
| where EventName in ("CreateNetworkAclEntry", "ReplaceNetworkAclEntry")
    and isempty(ErrorCode)
    and isempty(ErrorMessage)
| extend DynamicRequestParameters = todynamic(RequestParameters)
| extend
    NetworkAclId = tostring(DynamicRequestParameters["networkAclId"]),
    RuleNumber = toint(DynamicRequestParameters["ruleNumber"]),
    Egress = tobool(DynamicRequestParameters["egress"]),
    RuleAction = tostring(DynamicRequestParameters["ruleAction"]),
    PortFrom = toint(DynamicRequestParameters["portRange"]["from"]),
    PortTo = toint(DynamicRequestParameters["portRange"]["to"]),
    AclProtocol = toint(DynamicRequestParameters["aclProtocol"]),
    CiderBlock = tostring(coalesce(DynamicRequestParameters["cidrBlock"], DynamicRequestParameters["ipv6CidrBlock"]))
| where not(Egress) and RuleAction == "allow" and (AclProtocol == -1 or (PortTo - PortFrom) > 100)
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    NetworkAclId,
    RuleNumber,
    Egress,
    RuleAction,
    PortFrom,
    PortTo,
    AclProtocol,
    CiderBlock,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This query retrieves information from the AWS CloudTrail logs related to the creation or replacement of network ACL entries. It filters out events with error codes or error messages. It then extracts specific fields from the request parameters and performs additional filtering based on certain conditions. Finally, it selects a set of fields to be displayed in the query results.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: December 1, 2023

Tables

AWSCloudTrail

Keywords

AWSCloudTrail,EventName,CreateNetworkAclEntry,ReplaceNetworkAclEntry,ErrorCode,ErrorMessage,DynamicRequestParameters,NetworkAclId,RuleNumber,Egress,RuleAction,PortFrom,PortTo,AclProtocol,CiderBlock,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,ManagementEvent,ReadOnly,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId

Operators

whereinisemptyextendtostringtointtoboolcoalescenotandorinvokeproject

Actions