LoFP / not all unauthenticated requests are malicious, but frequency, user agent, source ips and pods will provide context.

Techniques

• T1526

Sample rules

GCP Kubernetes cluster pod scan detection

• source: splunk
• technicques:
  • T1526

Description

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster’s pods

Detection logic

`google_gcp_pubsub_message` category=kube-audit 
|spath input=properties.log 
|search responseStatus.code=401 
|table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod 
| `gcp_kubernetes_cluster_pod_scan_detection_filter`