<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">awsRegion</span>
<span class="pill kill-chain">aws_account_id</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">errorCode</span>
<span class="pill kill-chain">eventCategory</span>
<span class="pill kill-chain">eventID</span>
<span class="pill kill-chain">eventName</span>
<span class="pill kill-chain">eventSource</span>
<span class="pill kill-chain">eventTime</span>
<span class="pill kill-chain">eventType</span>
<span class="pill kill-chain">eventVersion</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">managementEvent</span>
<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">readOnly</span>
<span class="pill kill-chain">recipientAccountId</span>
<span class="pill kill-chain">region</span>
<span class="pill kill-chain">requestID</span>
<span class="pill kill-chain">requestParameters.imageManifest</span>
<span class="pill kill-chain">requestParameters.imageManifestMediaType</span>
<span class="pill kill-chain">requestParameters.imageTag</span>
<span class="pill kill-chain">requestParameters.registryId</span>
<span class="pill kill-chain">requestParameters.repositoryName</span>
<span class="pill kill-chain">resources{}.ARN</span>
<span class="pill kill-chain">resources{}.accountId</span>
<span class="pill kill-chain">responseElements.image.imageId.imageDigest</span>
<span class="pill kill-chain">responseElements.image.imageId.imageTag</span>
<span class="pill kill-chain">responseElements.image.imageManifest</span>
<span class="pill kill-chain">responseElements.image.imageManifestMediaType</span>
<span class="pill kill-chain">responseElements.image.registryId</span>
<span class="pill kill-chain">responseElements.image.repositoryName</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourceIPAddress</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">start_time</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">userAgent</span>
<span class="pill kill-chain">userIdentity.accessKeyId</span>
<span class="pill kill-chain">userIdentity.accountId</span>
<span class="pill kill-chain">userIdentity.arn</span>
<span class="pill kill-chain">userIdentity.invokedBy</span>
<span class="pill kill-chain">userIdentity.principalId</span>
<span class="pill kill-chain">userIdentity.sessionContext.attributes.creationDate</span>
<span class="pill kill-chain">userIdentity.sessionContext.attributes.mfaAuthenticated</span>
<span class="pill kill-chain">userIdentity.type</span>
<span class="pill kill-chain">userIdentity.userName</span>
<span class="pill kill-chain">userName</span>
<span class="pill kill-chain">user_access_key</span>
<span class="pill kill-chain">user_agent</span>
<span class="pill kill-chain">user_arn</span>
<span class="pill kill-chain">user_group_id</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
<span class="pill kill-chain">vendor_region</span>
</div>
Data Source: AWS CloudTrail PutImage
Description
Logs an event when a container image is uploaded to a repository in AWS CloudTrail.
Details
| Property | Value |
|---|---|
| Source | aws_cloudtrail |
| Sourcetype | aws:cloudtrail |
| Separator | eventName |
Supported Apps
- Splunk Add-on for AWS (version 7.9.1)
Event Fields
Fields
Example Log
1{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId": "AAAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111111111111:user/test", "accountId": "111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAAAAA", "userName": "test", "sessionContext": {"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate": "2021-08-18T23:15:39Z", "mfaAuthenticated": "false"}}, "invokedBy": "AWS Internal"}, "eventTime": "2021-08-18T23:17:30Z", "eventSource": "ecr.amazonaws.com", "eventName": "PutImage", "awsRegion": "eu-central-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": {"registryId": "111111111112", "repositoryName": "devsecops/cat_dog_server", "imageManifest": "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n \"size\": 6591,\n \"digest\": \"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2811969,\n \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 35426616,\n \"digest\": \"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2347076,\n \"digest\": \"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 280,\n \"digest\": \"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 92,\n \"digest\": \"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 373,\n \"digest\": \"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2383293,\n \"digest\": \"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 10001,\n \"digest\": \"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n }\n ]\n}", "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json", "imageTag": "latest"}, "responseElements": {"image": {"registryId": "111111111112", "repositoryName": "devsecops/cat_dog_server", "imageId": {"imageDigest": "sha256:b7798f35949cc1a2d435c9ac59ab69e857fe635a359c96e4f56a8498ce02019c", "imageTag": "latest"}, "imageManifest": "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n \"size\": 6591,\n \"digest\": \"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2811969,\n \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 35426616,\n \"digest\": \"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2347076,\n \"digest\": \"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 280,\n \"digest\": \"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 92,\n \"digest\": \"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 373,\n \"digest\": \"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2383293,\n \"digest\": \"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n },\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 10001,\n \"digest\": \"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n }\n ]\n}", "imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json"}}, "requestID": "805a31e6-0fed-433b-b393-f463c6881334", "eventID": "1aef3588-ae84-4f1f-9276-8ec94ee6a7e9", "readOnly": false, "resources": [{"accountId": "111111111111", "ARN": "arn:aws:ecr:eu-central-1:1111111111111:repository/devsecops/cat_dog_server"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}
Source: GitHub | Version: 2