Techniques
Sample rules
Kubernetes GCP detect sensitive object access
- source: splunk
- technicques:
Description
This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets
Detection logic
`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets
| table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision
| dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name
|`kubernetes_gcp_detect_sensitive_object_access_filter`
AWS EKS Kubernetes cluster sensitive object access
- source: splunk
- technicques:
Description
This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets
Detection logic
`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1
|table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason
|dedup user.username user.groups{}
|`aws_eks_kubernetes_cluster_sensitive_object_access_filter`
Kubernetes Azure detect sensitive object access
- source: splunk
- technicques:
Description
This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets
Detection logic
`kubernetes_azure` category=kube-audit
| spath input=properties.log
| search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow
|table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason
|dedup user.username user.groups{}
|`kubernetes_azure_detect_sensitive_object_access_filter`