AWS EKS Kubernetes cluster sensitive object access

Original Source: [splunk source]
Name:AWS EKS Kubernetes cluster sensitive object access
id:7f227943-2196-4d4d-8d6a-ac8cb308e61c
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets
Data_source:
search:`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`

how_to_implement:You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.
known_false_positives:Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Object Access Activity'
  asset_type:AWS EKS Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  observable:
    name:'user.username'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None

Related Analytic Stories


Kubernetes Sensitive Object Access Activity

© 2024 DetectionCode Website. All Rights Reserved.