Name:AWS ECR Container Scanning Findings High id:30a0e9f8-f1dd-4f9d-8fc2-c622461d781c version:4 date:2024-09-30 author:Patrick Bareiss, Splunk status:production type:TTP Description:The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture. Data_source:
-AWS CloudTrail DescribeImageScanFindings
search:`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand findings | spath input=findings | search severity=HIGH | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId as user | eval finding = finding_name.", ".finding_description | eval phase="release" | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives:unknown References: -https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: name:'View the detection results for - "$repository$"' search:'%original_detection_search% | search repository = "$repository$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$repository$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Dev Sec Ops' asset_type:AWS Account confidence:100 impact:70 message:Vulnerabilities with severity high found in repository $repository$ mitre_attack_id: - 'T1204.003' - 'T1204' observable: name:'user' type:'User' - role: - 'Attacker' name:'repository' type:'Other' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'eventSource' - 'eventName' - 'responseElements.imageScanFindings.findings{}' - 'awsRegion' - 'requestParameters.imageId.imageDigest' - 'requestParameters.repositoryName' - 'user' - 'userName' - 'src_ip' risk_score:70 security_domain:network
