Sample rules
Amazon EKS Kubernetes cluster scan detection
- source: splunk
- technicques:
- T1526
Description
This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS
Detection logic
`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner"
| rename sourceIPs{} as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{}
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
|`amazon_eks_kubernetes_cluster_scan_detection_filter`
Amazon EKS Kubernetes Pod scan detection
- source: splunk
- technicques:
- T1526
Description
The following analytic detects unauthenticated requests made against the Kubernetes’ Pods API through proactive monitoring to protect the Kubernetes environment from unauthorized access and potential security breaches. The detection is made by using the Splunk query aws_cloudwatchlogs_eks
with specific filters to identify these requests. Identifies events where the user.username
is set to “system:anonymous”, the verb
is set to “list”, and the objectRef.resource
is set to “pods”. Additionally, the search checks if the requestURI
is equal to “/api/v1/pods”. Analyzing these events helps you to identify any unauthorized access attempts to the Kubernetes’ Pods API. Unauthenticated requests can indicate potential security breaches or unauthorized access to sensitive resources within the Kubernetes environment. The detection is important because unauthorized access to Kubernetes’ Pods API can lead to the compromise of sensitive data, unauthorized execution of commands, or even the potential for lateral movement within the Kubernetes cluster. False positives might occur since there might be legitimate use cases for unauthenticated requests in certain scenarios. Therefore, you must review and validate any detected events before taking any action. Next steps include investigating the incident to mitigate any ongoing threats, and strengthening the security measures to prevent future unauthorized access attempts.
Detection logic
`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods"
| rename source as cluster_name sourceIPs{} as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{}
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `amazon_eks_kubernetes_pod_scan_detection_filter`