AWSCloudTrail - Network ACL with all the open ports to a specified CIDR

AWSCloudTrail
| where EventName in ('CreateNetworkAclEntry', 'ReplaceNetworkAclEntry') and isempty(ErrorMessage) and isempty(ErrorCode)
| extend ruleAction = tostring(parse_json(RequestParameters)['ruleAction']),
         egress=parse_json(RequestParameters)['egress'],
         total_ports=(toint(parse_json(parse_json(RequestParameters)['portRange'])['to']) - toint(parse_json(parse_json(RequestParameters)['portRange'])['from'])),
         aclProtocol=parse_json(RequestParameters)['aclProtocol']
| where isnotempty(total_ports)
| where ruleAction == 'allow' and egress == false and (aclProtocol == '-1' or (total_ports > 1024))
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
alertDetailsOverride:
  alertDisplayNameFormat: AWS Network ACL overly permissive rule by {{AccountName}} in {{AWSRegion}}
  alertDescriptionFormat: Detected {{EventName}} from {{SourceIpAddress}} that opened broad Network ACL access in account {{RecipientAccountId}}.
id: f8ea7d50-e33b-4b9d-9c3e-a59fcbcee281
severity: High
status: Available
customDetails:
  AclProtocol: aclProtocol
  AWSRegion: AWSRegion
  RuleAction: ruleAction
  EventName: EventName
query: |
  AWSCloudTrail
  | where EventName in ('CreateNetworkAclEntry', 'ReplaceNetworkAclEntry') and isempty(ErrorMessage) and isempty(ErrorCode)
  | extend ruleAction = tostring(parse_json(RequestParameters)['ruleAction']),
           egress=parse_json(RequestParameters)['egress'],
           total_ports=(toint(parse_json(parse_json(RequestParameters)['portRange'])['to']) - toint(parse_json(parse_json(RequestParameters)['portRange'])['from'])),
           aclProtocol=parse_json(RequestParameters)['aclProtocol']
  | where isnotempty(total_ports)
  | where ruleAction == 'allow' and egress == false and (aclProtocol == '-1' or (total_ports > 1024))
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_NetworkACLOpenToAllPorts.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.3
name: AWSCloudTrail - Network ACL with all the open ports to a specified CIDR
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1562.007
description: |
  Detects Network ACL entries that allow very broad inbound access ranges, including all protocols or large port
  ranges. Such changes can significantly increase exposure and may indicate weakening of cloud network controls.  
triggerOperator: gt