kubectl calls are not malicious by nature. however source ip, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious ips and sensitive objects such as configmaps or secrets

gcp gke kubernetes cluster
splunk

Techniques

Sample rules

Kubernetes GCP detect suspicious kubectl calls

source: splunk
technicques:

Description

This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context

Detection logic

`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous 
| table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path 
|dedup src_ip src_user 
|`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`