Sample rules
Kubernetes AWS detect suspicious kubectl calls
- source: splunk
- technicques:
Description
The following analytic detects anonymous and unauthenticated requests to a Kubernetes cluster. It identifies this behavior by monitoring for API calls from users who have not provided any token or password in their request. This is a significant behavior to identify for a SOC as it indicates a severe misconfiguration that allows unfettered access to a cluster with no traceability to a user or service. The impact of such an attack could be substantial, potentially granting an attacker access to sensitive data or control over the cluster. This detection rule is crucial for maintaining the security and integrity of your Kubernetes infrastructure.
Detection logic
`kube_audit` user.username="system:anonymous" user.groups{} IN ("system:unauthenticated")
| fillnull
| stats count by objectRef.name objectRef.namespace objectRef.resource requestReceivedTimestamp requestURI responseStatus.code sourceIPs{} stage user.groups{} user.uid user.username userAgent verb
| rename sourceIPs{} as src_ip, user.username as user
|`kubernetes_aws_detect_suspicious_kubectl_calls_filter`
Kubernetes Azure detect suspicious kubectl calls
- source: splunk
- technicques:
Description
This search provides information on rare Kubectl calls with IP, verb namespace and object access context
Detection logic
`kubernetes_azure` category=kube-audit
| spath input=properties.log
| spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration
| search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1
| table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI
| rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI
|`kubernetes_azure_detect_suspicious_kubectl_calls_filter`