this search can give false positives as there might be inherent issues with authentications and permissions at cluster.

Techniques

Sample rules

Kubernetes Azure detect service accounts forbidden failure access

source: splunk
technicques:

Description

This search provides information on Kubernetes service accounts with failure or forbidden access status

Detection logic

`kubernetes_azure` category=kube-audit 
| spath input=properties.log 
| search user.groups{}=system:serviceaccounts*  responseStatus.reason=Forbidden 
| table  sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace  
|`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`

Kubernetes AWS detect service accounts forbidden failure access

source: splunk
technicques:

Description

This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI

Detection logic

`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure 
| table sourceIPs{} user.username userAgent verb responseStatus.status requestURI 
| `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`

Kubernetes GCP detect service accounts forbidden failure access

source: splunk
technicques:

Description

Detection logic

`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* 
| table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb  data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision 
| dedup src_ip src_user 
| `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`