-
Notifications
You must be signed in to change notification settings - Fork 359
/
aws_network_acl_details_from_id.yml
30 lines (30 loc) · 964 Bytes
/
aws_network_acl_details_from_id.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: AWS Network ACL Details from ID
id: 2e11293f-c795-41bd-b470-fc87adc4e196
version: 1
date: '2017-01-22'
author: Bhavin Patel, Splunk
type: Investigation
datamodel: []
description: This search queries AWS description logs and returns all the information
about a specific network ACL via network ACL ID
search: '`aws_description` | rename id as networkAclId | search networkAclId=$networkAclId$
| table id account_id vpc_id network_acl_entries{}.*'
how_to_implement: In order to implement this search, you must install the AWS App
for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later)
and configure your AWS description inputs.
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Network ACL Activity
- Suspicious AWS Traffic
- Command And Control
product:
- Splunk Phantom
required_fields:
- _time
- id
- account_id
- vpc_id
- network_acl_entries{}.*
security_domain: network