Sample rules
Kubernetes AWS detect most active service accounts by pod
- source: splunk
- technicques:
Description
This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision
Detection logic
`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods
| table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision
| top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision
|`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`
Kubernetes GCP detect most active service accounts by pod
- source: splunk
- technicques:
Description
This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision
Detection logic
`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts
| table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource
| top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource
|`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`
Kubernetes Azure active service accounts by pod namespace
- source: splunk
- technicques:
Description
This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb
Detection logic
`kubernetes_azure` category=kube-audit
| spath input=properties.log
| search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow
| table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace
| top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace
|`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`