Analytics Story: Kubernetes Sensitive Object Access Activity

Date: 2020-05-20 ID: c7d4dbf0-a171-4eaf-8444-4f40392e4f92 Author: Rod Soto, Splunk Product: Splunk Enterprise Security

Description

This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.

Why it matters

Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
AWS EKS Kubernetes cluster sensitive object access	None	Hunting
Kubernetes AWS detect service accounts forbidden failure access	None	Hunting
Kubernetes Azure detect sensitive object access	None	Hunting
Kubernetes Azure detect service accounts forbidden failure access	None	Hunting
Kubernetes Azure detect suspicious kubectl calls	None	Hunting
Kubernetes GCP detect sensitive object access	None	Hunting
Kubernetes GCP detect service accounts forbidden failure access	None	Hunting
Kubernetes GCP detect suspicious kubectl calls	None	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼

References

https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html

Source: GitHub | Version: 1