Detection rules › Splunk
AWS ECR Container Scanning Findings Medium
The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.003 User Execution: Malicious Image |
Event coverage
| Provider | Event |
|---|---|
| AWS-ecr | DescribeImageScanFindings |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body splunk
name: AWS ECR Container Scanning Findings Medium
id: 0b80e2c8-c746-4ddb-89eb-9efd892220cf
version: 13
creation_date: '2021-08-18'
modification_date: '2026-05-13'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic identifies medium-severity findings from AWS Elastic Container Registry (ECR) image scans. It leverages AWS CloudTrail logs, specifically the DescribeImageScanFindings event, to detect vulnerabilities in container images. This activity is significant for a SOC as it highlights potential security risks in containerized applications, which could be exploited if not addressed. If confirmed malicious, these vulnerabilities could lead to unauthorized access, data breaches, or further exploitation within the container environment, compromising the overall security posture.
data_source:
- AWS CloudTrail DescribeImageScanFindings
search: |-
`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings
| spath path=responseElements.imageScanFindings.findings{} output=findings
| mvexpand findings
| spath input=findings
| search severity=MEDIUM
| rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product finding_name
finding_description imageDigest repository
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_ecr_container_scanning_findings_medium_filter`
how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
known_false_positives: No false positives have been identified at this time.
references:
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: Vulnerabilities with severity medium found in repository $repository$
analytic_story:
- Dev Sec Ops
asset_type: AWS Account
mitre_attack_id:
- T1204.003
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/aws_ecr_image_scanning/aws_ecr_scanning_findings_events.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
test_type: unit
Stages and Predicates
Stage 1: search
`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings
Stage 2: spath
| spath path=responseElements.imageScanFindings.findings{} output=findings
Stage 3: mvexpand
| mvexpand findings
Stage 4: spath
| spath input=findings
Stage 5: search
| search severity=MEDIUM
Stage 6: rename
| rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository
Stage 7: rename
| rename user_name as user
Stage 8: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product finding_name
finding_description imageDigest repository
Stage 9: search
| `security_content_ctime(firstTime)`
Stage 10: search
| `security_content_ctime(lastTime)`
Stage 11: search
| `aws_ecr_container_scanning_findings_medium_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
eventName | eq |
|
eventSource | eq |
|
severity | eq |
|
sourcetype | eq |
|