/
kubernetes_azure_detect_suspicious_kubectl_calls.yml
42 lines (42 loc) · 1.54 KB
/
kubernetes_azure_detect_suspicious_kubectl_calls.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Kubernetes Azure detect suspicious kubectl calls
id: 4b6d1ba8-0000-4cec-87e6-6cbbd71651b5
version: 1
date: '2020-05-26'
author: Rod Soto, Splunk
status: deprecated
type: Hunting
description: This search provides information on rare Kubectl calls with IP, verb
namespace and object access context
data_source: []
search: '`kubernetes_azure` category=kube-audit | spath input=properties.log | spath
input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration
| search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{}
verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |
rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace
requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`'
how_to_implement: You must install the Add-on for Microsoft Cloud Services and Configure
Kube-Audit data diagnostics
known_false_positives: Kubectl calls are not malicious by nature. However source IP,
verb and Object can reveal potential malicious activity, specially suspicious IPs
and sensitive objects such as configmaps or secrets
references: []
tags:
analytic_story:
- Kubernetes Sensitive Object Access Activity
asset_type: Azure AKS Kubernetes cluster
confidence: 50
impact: 50
message: tbd
observable:
- name: field
type: Unknown
role:
- Unknown
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
risk_score: 25
security_domain: threat