Sample rules
Kubernetes Azure detect suspicious kubectl calls
- source: splunk
- technicques:
Description
This search provides information on rare Kubectl calls with IP, verb namespace and object access context
Detection logic
`kubernetes_azure` category=kube-audit
| spath input=properties.log
| spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration
| search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1
| table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI
| rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI
|`kubernetes_azure_detect_suspicious_kubectl_calls_filter`
Kubernetes AWS detect suspicious kubectl calls
- source: splunk
- technicques:
Description
The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring API calls from users who have not provided any token or password in their request, using data from kube_audit logs. This activity is significant for a SOC as it indicates a severe misconfiguration, allowing unfettered access to the cluster with no traceability. If confirmed malicious, an attacker could gain access to sensitive data or control over the cluster, posing a substantial security risk.
Detection logic
`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated")
| fillnull
| stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb
| rename sourceIPs{} as src_ip, user.username as user
|`kubernetes_aws_detect_suspicious_kubectl_calls_filter`