Detection: AWS ECR Container Scanning Findings Low Informational Unknown

Updated Date: 2025-02-10 ID: cbc95e44-7c22-443f-88fd-0424478f5589 Author: Patrick Bareiss, Eric McGinnis Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies low, informational, or unknown severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect these findings. This activity is significant for a SOC as it helps in early identification of potential vulnerabilities or misconfigurations in container images, which could be exploited if left unaddressed. If confirmed malicious, these findings could lead to unauthorized access, data breaches, or further exploitation within the containerized environment.

Search

 1`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings 
 2| spath path=responseElements.imageScanFindings.findings{} output=findings 
 3| mvexpand findings 
 4| spath input=findings 
 5| search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") 
 6| rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository 
 7| rename user_name as user 
 8| stats count min(_time) as firstTime max(_time) as lastTime by signature dest user user_agent src vendor_account vendor_region vendor_product finding_name finding_description imageDigest repository 
 9| `security_content_ctime(firstTime)` 
10| `security_content_ctime(lastTime)` 
11| `aws_ecr_container_scanning_findings_low_informational_unknown_filter`

Data Source

Name	Platform	Sourcetype	Source
AWS CloudTrail DescribeImageScanFindings	AWS	`'aws:cloudtrail'`	`'aws_cloudtrail'`

Macros Used

Name	Value
cloudtrail	`sourcetype=aws:cloudtrail`
aws_ecr_container_scanning_findings_low_informational_unknown_filter	`search *`

aws_ecr_container_scanning_findings_low_informational_unknown_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1204.003	Malicious Image	Execution

Installation

DE.AE

CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Known False Positives

unknown

Associated Analytic Story

Dev Sec Ops

Risk Based Analytics (RBA)

Risk Message:

Vulnerabilities found in repository $repository$

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	5	No Threat Objects

References

https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`aws_cloudtrail`	`aws:cloudtrail`
Integration	✅ Passing	Dataset	`aws_cloudtrail`	`aws:cloudtrail`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 7