Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AWSCloudTrail - ECR image scan findings high or critical

Back
Idf6928301-56da-4d2c-aabe-e1a552bc8892
RulenameAWSCloudTrail - ECR image scan findings high or critical
DescriptionIdentifies Amazon ECR image scan findings that report high or critical severity vulnerabilities. These findings indicate container images that should be reviewed and remediated before deployment or continued use.
SeverityHigh
TacticsDiscovery
TechniquesT1083
Required data connectorsAWS
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ECRContainerHigh.yaml
Version1.0.3
Arm templatef6928301-56da-4d2c-aabe-e1a552bc8892.json
Deploy To Azure
AWSCloudTrail
| where EventName == "DescribeImageScanFindings" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend repoName = tostring(parse_json(ResponseElements).repositoryName)
| extend imageId = tostring(parse_json(ResponseElements).imageId.imageDigest)
| extend Critical = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.CRITICAL)
| extend High = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.HIGH)
| where Critical > 0 or High > 0
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- Discovery
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
alertDetailsOverride:
  alertDisplayNameFormat: AWS ECR image scan findings with high or critical Vulnerabilities in {{repoName}}
  alertDescriptionFormat: ECR image {{imageId}} in repository {{repoName}} returned critical and high findings.
id: f6928301-56da-4d2c-aabe-e1a552bc8892
severity: High
status: Available
customDetails:
  CriticalFindings: Critical
  HighFindings: High
  ImageDigest: imageId
  Repository: repoName
query: |
  AWSCloudTrail
  | where EventName == "DescribeImageScanFindings" and isempty(ErrorCode) and isempty(ErrorMessage)
  | extend repoName = tostring(parse_json(ResponseElements).repositoryName)
  | extend imageId = tostring(parse_json(ResponseElements).imageId.imageDigest)
  | extend Critical = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.CRITICAL)
  | extend High = toint(parse_json(ResponseElements).imageScanFindings.findingSeverityCounts.HIGH)
  | where Critical > 0 or High > 0
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_ECRContainerHigh.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.3
name: AWSCloudTrail - ECR image scan findings high or critical
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1083
description: |
    Identifies Amazon ECR image scan findings that report high or critical severity vulnerabilities. These findings indicate container images that should be reviewed and remediated before deployment or continued use.
triggerOperator: gt