splApache-2.0from splunk/security_content

AWS ECR Container Scanning Findings High

The following analytic identifies high-severity findings from AWS Elastic Container Registry (ECR) image scans. It detects these activities by analyzing AWS CloudTrail logs for the DescribeImageScanFindings event, specifically filtering for findings with a high severity level. This activity is significant for a SOC because high-severity vulnerabilities in container images can lead to potential exploitation if not addressed. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access, execute arbitrary code, or escalate privileges within the container environment, posing a significant risk to the overall security posture.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.