AWSCloudTrail
| where EventName == "DescribeImageScanFindings" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend repoName = tostring(parse_json(ResponseElements).repositoryName)
| extend imageId = tostring(parse_json(ResponseElements).imageId.imageDigest)
| extend Critical = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.CRITICAL)
| extend High = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.HIGH)
| where Critical > 0 or High > 0
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
queryPeriod: 1d
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
- columnName: RecipientAccountId
identifier: CloudAppAccountId
- entityType: IP
fieldMappings:
- columnName: SourceIpAddress
identifier: Address
relevantTechniques:
- T1083
triggerOperator: gt
triggerThreshold: 0
status: Available
name: AWSCloudTrail - ECR image scan findings high or critical
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
id: f6928301-56da-4d2c-aabe-e1a552bc8892
version: 1.0.3
description: |
Identifies Amazon ECR image scan findings that report high or critical severity vulnerabilities. These findings indicate container images that should be reviewed and remediated before deployment or continued use.
alertDetailsOverride:
alertDisplayNameFormat: AWS ECR image scan findings with high or critical Vulnerabilities in {{repoName}}
alertDescriptionFormat: ECR image {{imageId}} in repository {{repoName}} returned critical and high findings.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ECRContainerHigh.yaml
query: |
AWSCloudTrail
| where EventName == "DescribeImageScanFindings" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend repoName = tostring(parse_json(ResponseElements).repositoryName)
| extend imageId = tostring(parse_json(ResponseElements).imageId.imageDigest)
| extend Critical = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.CRITICAL)
| extend High = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.HIGH)
| where Critical > 0 or High > 0
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
queryFrequency: 1d
customDetails:
Repository: repoName
CriticalFindings: Critical
HighFindings: High
ImageDigest: imageId
kind: Scheduled
tactics:
- Discovery
severity: High
