Techniques
Sample rules
GCP Kubernetes cluster pod scan detection
- source: splunk
- technicques:
- T1526
Description
The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment.
Detection logic
`google_gcp_pubsub_message` category=kube-audit
|spath input=properties.log
|search responseStatus.code=401
|table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod
| `gcp_kubernetes_cluster_pod_scan_detection_filter`