AWS Cloud Trail Aws Ecr Container Upload Unknown User
Query
let _ExpectedEventNames = dynamic(["PutImage"]);
let _ExpectedUsers = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSIAMUser" and Auxiliar has_any (_ExpectedEventNames)
| summarize make_list(ActorPrincipalName)
);
AWSCloudTrail
| where EventName == "PutImage"
| where not(UserIdentityArn in (_ExpectedUsers))
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
AWSRegion,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventIdExplanation
This KQL (Kusto Query Language) query is designed to analyze AWS CloudTrail logs to identify specific events related to the "PutImage" action. Here's a simplified breakdown of what the query does:
-
Define Expected Event Names: It sets up a list of expected event names, in this case, just "PutImage".
-
Retrieve Expected Users: It fetches a list of users from a watchlist named "Activity-ExpectedSignificantActivity" who are expected to perform the "PutImage" action. This is done by filtering for activities related to "AWSIAMUser" and checking if they match the expected event names.
-
Filter CloudTrail Logs: It searches through AWS CloudTrail logs for events where the "EventName" is "PutImage".
-
Exclude Expected Users: It excludes events performed by users who are in the list of expected users.
-
Invoke AWS Identity Role: It calls a function named
AWSIdentityRole()to possibly enrich the data with additional role-related information. -
Select Specific Fields: Finally, it selects and displays a set of fields from the resulting data, such as the time the event was generated, user identity details, account information, event details, and more.
In summary, this query identifies "PutImage" actions in AWS CloudTrail logs that were performed by users who are not on a predefined list of expected users, and it provides detailed information about these events.
Details

Jose Sebastián Canós
Released: March 11, 2024
Tables
Keywords
Operators