/
kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml
42 lines (42 loc) · 1.63 KB
/
kubernetes_gcp_detect_service_accounts_forbidden_failure_access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Kubernetes GCP detect service accounts forbidden failure access
id: 7094808d-432a-48e7-bb3c-77e96c894f3b
version: 1
date: '2020-06-23'
author: Rod Soto, Splunk
status: deprecated
type: Hunting
description: This search provides information on Kubernetes service accounts with
failure or forbidden access status, this search can be extended by using top or
rare operators to find trends or rarities in failure status, user agents, source
IPs and request URI
data_source: []
search: '`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=*
| table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace
data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed
data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision
| dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`'
how_to_implement: You must install splunk add on for GCP. This search works with pubsub
messaging service logs.
known_false_positives: This search can give false positives as there might be inherent
issues with authentications and permissions at cluster.
references: []
tags:
analytic_story:
- Kubernetes Sensitive Object Access Activity
asset_type: GCP GKE Kubernetes cluster
confidence: 50
impact: 50
message: tbd
observable:
- name: field
type: Unknown
role:
- Unknown
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
risk_score: 25
security_domain: threat