container_implantation_monitoring_and_investigation.yml

name: Container Implantation Monitoring and Investigation
id: aa0e28b1-0521-4b6f-9d2a-7b87e34af246
version: 1
date: '2020-02-20'
author: Rod Soto, Rico Valdez, Splunk
description: Use the searches in this story to monitor your Kubernetes registry repositories
  for upload, and deployment of potentially vulnerable, backdoor, or implanted containers.
  These searches provide information on source users, destination path, container
  names and repository names. The searches provide context to address Mitre T1525
  which refers to container implantation upload to a company's repository either in
  Amazon Elastic Container Registry, Google Container Registry and Azure Container
  Registry.
narrative: Container Registrys provide a way for organizations to keep customized
  images of their development and infrastructure environment in private. However if
  these repositories are misconfigured or priviledge users credentials are compromise,
  attackers can potentially upload implanted containers which can be deployed across
  the organization. These searches allow operator to monitor who, when and what was
  uploaded to container registry.
references:
- https://github.com/splunk/cloud-datamodel-security-research
tags:
  analytic_story: Container Implantation Monitoring and Investigation
  category:
  - Cloud Security
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Security Monitoring