Query Details

AWS Cloud Trail Aws Ecr Container Upload Unknown User

Query

let _ExpectedEventNames = dynamic(["PutImage"]);
let _ExpectedUsers = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "AWSIAMUser" and Auxiliar has_any (_ExpectedEventNames)
    | summarize make_list(ActorPrincipalName)
);
AWSCloudTrail
| where EventName == "PutImage"
| where not(UserIdentityArn in (_ExpectedUsers))
| invoke AWSIdentityRole()
| project
    TimeGenerated,
    UserIdentityType,
    Identity,
    ActorRole,
    UserIdentityAccountId,
    UserIdentityAccountName,
    RecipientAccountId,
    RecipientAccountName,
    AWSRegion,
    SessionCreationDate,
    UserIdentityPrincipalid,
    UserIdentityArn,
    SourceIpAddress,
    EventSource,
    EventTypeName,
    EventName,
    ManagementEvent,
    ReadOnly,
    ErrorCode,
    ErrorMessage,
    RequestParameters,
    ResponseElements,
    Resources,
    SessionMfaAuthenticated,
    UserAgent,
    AwsEventId

Explanation

This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to the "PutImage" action. Here's a simplified breakdown of what the query does:

  1. Define Expected Event Names: It sets up a list of expected event names, in this case, just "PutImage".

  2. Retrieve Expected Users: It fetches a list of users from a watchlist named "Activity-ExpectedSignificantActivity" who are expected to perform the "PutImage" action. This is done by filtering for activities related to "AWSIAMUser" and checking if they match the expected event names.

  3. Filter CloudTrail Logs: It searches through AWS CloudTrail logs for events where the "EventName" is "PutImage".

  4. Exclude Expected Users: It excludes events performed by users who are in the list of expected users.

  5. Invoke AWS Identity Role: It calls a function named AWSIdentityRole() to possibly enrich the data with additional role-related information.

  6. Select Specific Fields: Finally, it selects and displays a set of fields from the resulting data, such as the time the event was generated, user identity details, account information, event details, and more.

In summary, this query identifies "PutImage" actions in AWS CloudTrail logs that were performed by users who are not on a predefined list of expected users, and it provides detailed information about these events.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 11, 2024

Tables

AWSCloudTrail

Keywords

AwsCloudTrailEventNameUserIdentityArnTypeActorRoleAccountIdRecipientRegionSessionCreationDatePrincipalSourceIpAddressManagementReadOnlyErrorCodeMessageRequestParametersResponseElementsResourcesMfaAuthenticatedAgent

Operators

letdynamictoscalar_GetWatchlistwherehas_anysummarizemake_listininvokeproject

Actions

GitHub