Query Details
AWS Cloud Trail Aws Ecr Container Upload Unknown User
Query
let _EventNames = dynamic(["PutImage"]);
let _ExpectedUsers = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AWSIAMUser" and Auxiliar has_any (_EventNames)
| summarize make_list(ActorPrincipalName)
);
AWSCloudTrail
| where EventName == "PutImage"
| where not(UserIdentityArn in (_ExpectedUsers))
| invoke AWSIdentityRole()
| project
TimeGenerated,
UserIdentityType,
Identity,
ActorRole,
UserIdentityAccountId,
UserIdentityAccountName,
RecipientAccountId,
RecipientAccountName,
SessionCreationDate,
UserIdentityPrincipalid,
UserIdentityArn,
SourceIpAddress,
EventSource,
EventTypeName,
EventName,
ManagementEvent,
ReadOnly,
ErrorCode,
ErrorMessage,
RequestParameters,
ResponseElements,
Resources,
SessionMfaAuthenticated,
UserAgent,
AwsEventId
Explanation
The query retrieves AWS CloudTrail events where the event name is "PutImage" and the user identity ARN is not in a list of expected users. It then invokes the AWSIdentityRole function and projects specific fields from the result.
Details
Jose Sebastián Canós
Released: February 13, 2024
Tables
AWSCloudTrail
Keywords
AWSCloudTrail,PutImage,UserIdentityArn,TimeGenerated,UserIdentityType,Identity,ActorRole,UserIdentityAccountId,UserIdentityAccountName,RecipientAccountId,RecipientAccountName,SessionCreationDate,UserIdentityPrincipalid,UserIdentityArn,SourceIpAddress,EventSource,EventTypeName,EventName,ManagementEvent,ReadOnly,ErrorCode,ErrorMessage,RequestParameters,ResponseElements,Resources,SessionMfaAuthenticated,UserAgent,AwsEventId
Operators
| whereandhas_anysummarizetoscalarnot ininvokeproject