Techniques
Sample rules
Kubernetes AWS detect suspicious kubectl calls
- source: splunk
- technicques:
Description
The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from kube_audit
logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk.
Detection logic
`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated")
| fillnull
| stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb
| rename sourceIPs{} as src_ip, user.username as user
|`kubernetes_aws_detect_suspicious_kubectl_calls_filter`