Techniques
Sample rules
Kubernetes Azure detect RBAC authorization by account
- source: splunk
- technicques:
Description
This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences
Detection logic
`kubernetes_azure` category=kube-audit
| spath input=properties.log
| search annotations.authorization.k8s.io/reason=*
| table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason
|stats count by user.username annotations.authorization.k8s.io/reason
| rare user.username annotations.authorization.k8s.io/reason
|`kubernetes_azure_detect_rbac_authorization_by_account_filter`
Kubernetes AWS detect RBAC authorization by account
- source: splunk
- technicques:
Description
This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences
Detection logic
`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=*
| table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason
| stats count by user.username annotations.authorization.k8s.io/reason
| rare user.username annotations.authorization.k8s.io/reason
|`kubernetes_aws_detect_rbac_authorization_by_account_filter`
Kubernetes GCP detect RBAC authorizations by account
- source: splunk
- technicques:
Description
This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences
Detection logic
`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole
| table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason
| rare src_user data.labels.authorization.k8s.io/reason
|`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`