Techniques
Sample rules
GCP Kubernetes cluster pod scan detection
- source: splunk
- technicques:
- T1526
Description
This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster’s pods
Detection logic
`google_gcp_pubsub_message` category=kube-audit
|spath input=properties.log
|search responseStatus.code=401
|table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod
| `gcp_kubernetes_cluster_pod_scan_detection_filter`