Techniques
Sample rules
AWS ECR Container Upload Outside Business Hours
- source: splunk
- technicques:
- T1204.003
- T1204
Description
This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it.
Detection logic
`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday
| rename requestParameters.* as *
| rename repositoryName AS repository
| eval phase="release"
| eval severity="medium"
| stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_ecr_container_upload_outside_business_hours_filter`