Packages in Container Images - Match Lookup File
Parses packages from ImageVulnerabilityEvents and cross-references it with a lookup file to identify matching entries.
Threat Huntinghunting
FDR intermediatepor ByteRay (cql-hub.com) 1 min read
Query
ImageScanEventType = ImageVulnerabilityEvent
| array:eval("CVEMapping[]", asArray="PackageName[]", function={PackageName := splitString(by="\|",field="CVEMapping",index=1)})
| array:drop("CVEMapping[]")
| array:dedup("PackageName[]")
| array:reduceAll(array="PackageName[]",var=PackageName, function=groupBy(PackageName))
| match(file="compromised-npm-packages-shai-hulud.csv", field="PackageName",column="PackageName", ignoreCase=true)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.