Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Amazon ECR image scanning disabled

AWSCloudTrail - Amazon ECR image scanning disabled

Back
Id19602494-94af-43c8-90ba-eb0e14999612
RulenameAWSCloudTrail - Amazon ECR image scanning disabled
DescriptionIdentifies Amazon ECR image scanning being disabled. This change can reduce visibility into vulnerable container images and may indicate defense evasion or weakening of container security controls.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ECRImageScanningDisabled.yaml
Version1.0.2
Arm template19602494-94af-43c8-90ba-eb0e14999612.json
Deploy To Azure
AWSCloudTrail
| where EventName == "PutImageScanningConfiguration" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend scanOnPush = parse_json(tostring((parse_json(RequestParameters).imageScanningConfiguration))).scanOnPush
| where scanOnPush == false
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| distinct TimeGenerated, EventName, SourceIpAddress, UserIdentityArn, UserIdentityUserName, RecipientAccountId, AccountName, AccountUPNSuffix

entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  - columnName: RecipientAccountId
    identifier: CloudAppAccountId
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
triggerOperator: gt
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ECRImageScanningDisabled.yaml
alertDetailsOverride:
  alertDescriptionFormat: Amazon ECR image scanning was disabled by {{AccountName}} from {{SourceIpAddress}} in account {{RecipientAccountId}}
  alertDisplayNameFormat: Amazon ECR image scanning disabled by {{AccountName}} from {{SourceIpAddress}}
version: 1.0.2
query: |
  AWSCloudTrail
  | where EventName == "PutImageScanningConfiguration" and isempty(ErrorCode) and isempty(ErrorMessage)
  | extend scanOnPush = parse_json(tostring((parse_json(RequestParameters).imageScanningConfiguration))).scanOnPush
  | where scanOnPush == false
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  | distinct TimeGenerated, EventName, SourceIpAddress, UserIdentityArn, UserIdentityUserName, RecipientAccountId, AccountName, AccountUPNSuffix  
triggerThreshold: 0
relevantTechniques:
- T1562.001
queryPeriod: 1d
status: Available
severity: Medium
kind: Scheduled
customDetails:
  UserIdentityUserName: UserIdentityUserName
  EventName: EventName
  UserIdentityArn: UserIdentityArn
  RecipientAccountId: RecipientAccountId
name: AWSCloudTrail - Amazon ECR image scanning disabled
queryFrequency: 1d
id: 19602494-94af-43c8-90ba-eb0e14999612
description: |
    Identifies Amazon ECR image scanning being disabled. This change can reduce visibility into vulnerable container images and may indicate defense evasion or weakening of container security controls.
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS