AWSCloudTrail
| where EventName == "DescribeImageScanFindings" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend repoName = tostring(parse_json(ResponseElements).repositoryName)
| extend imageId = tostring(parse_json(ResponseElements).imageId.imageDigest)
| extend Critical = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.CRITICAL)
| extend High = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.HIGH)
| where Critical > 0 or High > 0
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
alertDetailsOverride:
alertDisplayNameFormat: AWS ECR image scan findings with high or critical Vulnerabilities in {{repoName}}
alertDescriptionFormat: ECR image {{imageId}} in repository {{repoName}} returned critical and high findings.
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ECRContainerHigh.yaml
kind: Scheduled
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
- columnName: RecipientAccountId
identifier: CloudAppAccountId
- entityType: IP
fieldMappings:
- columnName: SourceIpAddress
identifier: Address
triggerThreshold: 0
queryPeriod: 1d
triggerOperator: gt
tactics:
- Discovery
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
query: |
AWSCloudTrail
| where EventName == "DescribeImageScanFindings" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend repoName = tostring(parse_json(ResponseElements).repositoryName)
| extend imageId = tostring(parse_json(ResponseElements).imageId.imageDigest)
| extend Critical = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.CRITICAL)
| extend High = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.HIGH)
| where Critical > 0 or High > 0
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
severity: High
customDetails:
CriticalFindings: Critical
ImageDigest: imageId
Repository: repoName
HighFindings: High
status: Available
relevantTechniques:
- T1083
name: AWSCloudTrail - ECR image scan findings high or critical
description: |
Identifies Amazon ECR image scan findings that report high or critical severity vulnerabilities. These findings indicate container images that should be reviewed and remediated before deployment or continued use.
id: f6928301-56da-4d2c-aabe-e1a552bc8892
