This alert triggers when a user disables the image scanning configuration for the specified repository. Impact A threat actor can disable the vulnerability scan for an image to prevent malicious images from being scanned and run them under the radar. Mitigation Check if the user is aware of this action and if it is legitimate. If not, revert the action, investigate further, and look for any suspicious activities. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert triggers when a repository is deleted that has images present in it. If the repository contains images, you must either delete all images in the repository or use the force option to delete the repository. Impact A threat actor can delete a public or a private repository to disrupt normal business operations. Mitigation Check if the user is aware of this action and if it is legitimate. If not, investigate further and look for any suspicious activities. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert triggers when multiple DCR images are pulled within a specific interval of time. This operation will get detailed information for an image. Images are specified with either an imageTag or imageDigest. Impact A threat actor can update or create an image with malicious code. This malicious code is executed on any machine that pulls and runs the image, whether on the user's local machines, Kubernetes clusters, or cloud environment. This allows the actor to infect popular images such as AzureMonitor agent, Azure Linux, and Nginx. Also, a high number of images being pulled by a single user could indicate suspicious activity. Mitigation Check if the user is aware of this action and if this activity is legitimate. If not, investigate further and look for any suspicious activities. This alert can be fine-tuned for specific repositories or users performing these actions. MITRE Tactic: TA0009 MITRE Technique: T1530

This alert triggers when a list of specified images within a repository is deleted. Images are specified with either an imageTag or imageDigest. Impact A threat actor can delete repository images to disrupt normal business operations. Mitigation Check if the user is aware of this action and if it is legitimate. If not, investigate further and look for any suspicious activities. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert triggers when multiple DCR images are pushed and all the new image layers have been uploaded within a specific interval of time. Impact A threat actor can push a malicious DCR image which would appear as verified Registries to infect a lot of machines in one go. This might eventually affect business operations on a large scale. Mitigation Check if the user is aware of this action and if it is legitimate. If not, investigate further and look for any suspicious activities. This alert can be fine-tuned for specific repositories or users performing these actions. MITRE Tactic: TA0005 MITRE Technique: T1578