-
Notifications
You must be signed in to change notification settings - Fork 382
/
Copy pathaws_cloudtrail_putimage.yml
151 lines (151 loc) · 7.61 KB
/
aws_cloudtrail_putimage.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: AWS CloudTrail PutImage
id: bb13f10d-0d8c-4fde-9136-b7cfd930e87c
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for AWS CloudTrail PutImage
source: aws_cloudtrail
sourcetype: aws:cloudtrail
separator: eventName
supported_TA:
- name: Splunk Add-on for AWS
url: https://splunkbase.splunk.com/app/1876
version: 7.9.0
fields:
- _time
- app
- awsRegion
- aws_account_id
- command
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dvc
- errorCode
- eventCategory
- eventID
- eventName
- eventSource
- eventTime
- eventType
- eventVersion
- host
- index
- linecount
- managementEvent
- msg
- object_category
- product
- punct
- readOnly
- recipientAccountId
- region
- requestID
- requestParameters.imageManifest
- requestParameters.imageManifestMediaType
- requestParameters.imageTag
- requestParameters.registryId
- requestParameters.repositoryName
- resources{}.ARN
- resources{}.accountId
- responseElements.image.imageId.imageDigest
- responseElements.image.imageId.imageTag
- responseElements.image.imageManifest
- responseElements.image.imageManifestMediaType
- responseElements.image.registryId
- responseElements.image.repositoryName
- signature
- source
- sourceIPAddress
- sourcetype
- splunk_server
- src
- src_ip
- start_time
- timeendpos
- timestartpos
- user
- userAgent
- userIdentity.accessKeyId
- userIdentity.accountId
- userIdentity.arn
- userIdentity.invokedBy
- userIdentity.principalId
- userIdentity.sessionContext.attributes.creationDate
- userIdentity.sessionContext.attributes.mfaAuthenticated
- userIdentity.type
- userIdentity.userName
- userName
- user_access_key
- user_agent
- user_arn
- user_group_id
- user_id
- user_name
- user_type
- vendor
- vendor_account
- vendor_product
- vendor_region
example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "principalId":
"AAAAAAAAAAAAAAAAAAAAA", "arn": "arn:aws:iam::111111111111:user/test", "accountId":
"111111111111", "accessKeyId": "AAAAAAAAAAAAAAAAAAAAA", "userName": "test", "sessionContext":
{"sessionIssuer": {}, "webIdFederationData": {}, "attributes": {"creationDate":
"2021-08-18T23:15:39Z", "mfaAuthenticated": "false"}}, "invokedBy": "AWS Internal"},
"eventTime": "2021-08-18T23:17:30Z", "eventSource": "ecr.amazonaws.com", "eventName":
"PutImage", "awsRegion": "eu-central-1", "sourceIPAddress": "AWS Internal", "userAgent":
"AWS Internal", "requestParameters": {"registryId": "111111111112", "repositoryName":
"devsecops/cat_dog_server", "imageManifest": "{\n \"schemaVersion\": 2,\n \"mediaType\":
\"application/vnd.docker.distribution.manifest.v2+json\",\n \"config\": {\n \"mediaType\":
\"application/vnd.docker.container.image.v1+json\",\n \"size\": 6591,\n \"digest\":
\"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n },\n \"layers\":
[\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\":
2811969,\n \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 35426616,\n \"digest\":
\"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2347076,\n \"digest\":
\"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 280,\n \"digest\":
\"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 92,\n \"digest\":
\"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 373,\n \"digest\":
\"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2383293,\n \"digest\":
\"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 10001,\n \"digest\":
\"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n }\n ]\n}",
"imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json",
"imageTag": "latest"}, "responseElements": {"image": {"registryId": "111111111112",
"repositoryName": "devsecops/cat_dog_server", "imageId": {"imageDigest": "sha256:b7798f35949cc1a2d435c9ac59ab69e857fe635a359c96e4f56a8498ce02019c",
"imageTag": "latest"}, "imageManifest": "{\n \"schemaVersion\": 2,\n \"mediaType\":
\"application/vnd.docker.distribution.manifest.v2+json\",\n \"config\": {\n \"mediaType\":
\"application/vnd.docker.container.image.v1+json\",\n \"size\": 6591,\n \"digest\":
\"sha256:547fc07c53533763d68ebdfdc45529b1db45301d07824410bcc30df866d67df1\"\n },\n \"layers\":
[\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\":
2811969,\n \"digest\": \"sha256:540db60ca9383eac9e418f78490994d0af424aab7bf6d0e47ac8ed4e2e9bcbba\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 35426616,\n \"digest\":
\"sha256:f4fa1ac42c97abe89e0cc807af0ae4b63fbec2a5209a75a7239d099702c7fd80\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2347076,\n \"digest\":
\"sha256:2b3e10d0c87c453eed1378e102ff1cc17aa4e3eed2159b7505959777a6225059\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 280,\n \"digest\":
\"sha256:43bd2fc3ba418e309449b8c82d723d9069ebb81863050dc0d6ad6e6ec0683808\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 92,\n \"digest\":
\"sha256:803d6b58954d4daee18ed071281627f8214f3d2ba1b9a419ab8834029310942a\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 373,\n \"digest\":
\"sha256:e664d5491b5c81e901a2293fbc025532a7cae0dcc75ce7418f854209aaa2474c\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 2383293,\n \"digest\":
\"sha256:b827c586a783ce490b79907607d535f99f42360b6ba86a4b2ac3e7f01542144d\"\n },\n {\n \"mediaType\":
\"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 10001,\n \"digest\":
\"sha256:0dd85ef396bcaded88fab4a8079d6b8bd5e3f8cf7eeb9b93306ffdb63401ba0a\"\n }\n ]\n}",
"imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json"}},
"requestID": "805a31e6-0fed-433b-b393-f463c6881334", "eventID": "1aef3588-ae84-4f1f-9276-8ec94ee6a7e9",
"readOnly": false, "resources": [{"accountId": "111111111111", "ARN": "arn:aws:ecr:eu-central-1:1111111111111:repository/devsecops/cat_dog_server"}],
"eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111",
"eventCategory": "Management"}'