when your development is spreaded in different time zones, applying this rule can be difficult.

t1204
T1204.003
aws account
splunk

Techniques

T1204
T1204.003

Sample rules

AWS ECR Container Upload Outside Business Hours

source: splunk
technicques:
- T1204.003
- T1204

Description

This search looks for AWS CloudTrail events from AWS Elastic Container Service (ECR). A upload of a new container is normally done during business hours. When done outside business hours, we want to take a look into it.

Detection logic

`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 OR date_hour<8 OR date_wday=saturday OR date_wday=sunday 
| rename requestParameters.* as * 
| rename repositoryName AS repository 
| eval phase="release" 
| eval severity="medium" 
| stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_ecr_container_upload_outside_business_hours_filter`