AWSCloudTrail - Network ACL with all the open ports to a specified CIDR

AWSCloudTrail
| where EventName in ('CreateNetworkAclEntry', 'ReplaceNetworkAclEntry') and isempty(ErrorMessage) and isempty(ErrorCode)
| extend ruleAction = tostring(parse_json(RequestParameters)['ruleAction']),
         egress=parse_json(RequestParameters)['egress'],
         total_ports=(toint(parse_json(parse_json(RequestParameters)['portRange'])['to']) - toint(parse_json(parse_json(RequestParameters)['portRange'])['from'])),
         aclProtocol=parse_json(RequestParameters)['aclProtocol']
| where isnotempty(total_ports)
| where ruleAction == 'allow' and egress == false and (aclProtocol == '-1' or (total_ports > 1024))
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")

status: Available
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
query: |
  AWSCloudTrail
  | where EventName in ('CreateNetworkAclEntry', 'ReplaceNetworkAclEntry') and isempty(ErrorMessage) and isempty(ErrorCode)
  | extend ruleAction = tostring(parse_json(RequestParameters)['ruleAction']),
           egress=parse_json(RequestParameters)['egress'],
           total_ports=(toint(parse_json(parse_json(RequestParameters)['portRange'])['to']) - toint(parse_json(parse_json(RequestParameters)['portRange'])['from'])),
           aclProtocol=parse_json(RequestParameters)['aclProtocol']
  | where isnotempty(total_ports)
  | where ruleAction == 'allow' and egress == false and (aclProtocol == '-1' or (total_ports > 1024))
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_NetworkACLOpenToAllPorts.yaml
tactics:
- DefenseEvasion
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
alertDetailsOverride:
  alertDescriptionFormat: Detected {{EventName}} from {{SourceIpAddress}} that opened broad Network ACL access in account {{RecipientAccountId}}.
  alertDisplayNameFormat: AWS Network ACL overly permissive rule by {{AccountName}} in {{AWSRegion}}
relevantTechniques:
- T1562.007
customDetails:
  EventName: EventName
  AclProtocol: aclProtocol
  AWSRegion: AWSRegion
  RuleAction: ruleAction
description: |
  Detects Network ACL entries that allow very broad inbound access ranges, including all protocols or large port
  ranges. Such changes can significantly increase exposure and may indicate weakening of cloud network controls.  
name: AWSCloudTrail - Network ACL with all the open ports to a specified CIDR
version: 1.0.3
kind: Scheduled
id: f8ea7d50-e33b-4b9d-9c3e-a59fcbcee281
severity: High