This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
- Last Updated: 2021-08-19
- Author: Patrick Bareiss, Splunk
- ID: d4c4d4eb-3994-41ca-a25e-a82d64e125bb
`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 NOT (date_wday=saturday OR date_wday=sunday) | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" | eval severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`
Associated Analytic Story
How To Implement
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Kill Chain Phase
- Actions on Objectives
Known False Positives
When your development is spreaded in different time zones, applying this rule can be difficult.
|49.0||70||70||Container uploaded outside business hours from $user$|
source | version: 1