azure aks kubernetes cluster

Title	Tags
kubectl calls are not malicious by nature. however source ip, verb and object can reveal potential malicious activity, specially suspicious ips and sensitive objects such as configmaps or secrets	azure aks kubernetes cluster splunk
not all rbac authorications are malicious. rbac authorizations can uncover malicious activity specially if sensitive roles have been granted.	gcp gke kubernetes cluster aws eks kubernetes cluster azure aks kubernetes cluster splunk
not all service accounts interactions are malicious. analyst must consider ip and verb context when trying to detect maliciousness.	azure aks kubernetes cluster splunk
not all unauthenticated requests are malicious, but source ips, useragent, verb, request uri and response status will provide context.	t1526 azure aks kubernetes cluster splunk
sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.	azure aks kubernetes cluster aws eks kubernetes cluster gcp gke kubernetes cluster splunk
sensitive role resource access is necessary for cluster operation, however source ip, namespace and user group may indicate possible malicious use.	azure aks kubernetes cluster aws eks kubernetes cluster splunk
this search can give false positives as there might be inherent issues with authentications and permissions at cluster.	azure aks kubernetes cluster aws eks kubernetes cluster gcp gke kubernetes cluster splunk