Sample rules
Kubernetes GCP detect sensitive role access
- source: splunk
- technicques:
Description
This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets
Detection logic
`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1
| table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason
| dedup src_ip src_user
|`kubernetes_gcp_detect_sensitive_role_access_filter`
Kubernetes AWS detect sensitive role access
- source: splunk
- technicques:
Description
This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets
Detection logic
`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1
| table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason
| dedup user.username user.groups{}
|`kubernetes_aws_detect_sensitive_role_access_filter`
Kubernetes Azure detect sensitive role access
- source: splunk
- technicques:
Description
This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets
Detection logic
`kubernetes_azure` category=kube-audit
| spath input=properties.log
| search objectRef.resource=clusterroles OR clusterrolebindings
| table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason
| dedup user.username user.groups{}
|`kubernetes_azure_detect_sensitive_role_access_filter`