Try in Splunk Security Cloud

Description

This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done from only a few known users. When the user was never seen before, we should have a closer look into the event.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-08-19
  • Author: Patrick Bareiss, Splunk
  • ID: 300688e4-365c-4486-a065-7c884462b31d

ATT&CK

ID Technique Tactic
T1204.003 Malicious Image Execution
T1204 User Execution Execution
`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` 
| rename requestParameters.* as * 
| rename repositoryName AS image 
| eval phase="release" 
| eval severity="high" 
| stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_ecr_container_upload_unknown_user_filter`

Associated Analytic Story

How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • eventSource
  • eventName
  • awsRegion
  • requestParameters.imageTag
  • requestParameters.registryId
  • requestParameters.repositoryName
  • user
  • userName
  • src_ip

Kill Chain Phase

  • Actions on Objectives

Known False Positives

unknown

RBA

Risk Score Impact Confidence Message
49.0 70 70 Container uploaded from unknown user $user$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1