GCP Kubernetes cluster pod scan detection

Original Source: [splunk source]
Name:GCP Kubernetes cluster pod scan detection
id:19b53215-4a16-405b-8087-9e6acf619842
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:experimental
type:Hunting
Description:The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment.
Data_source:
search:`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod
| `gcp_kubernetes_cluster_pod_scan_detection_filter`

how_to_implement:You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.
known_false_positives:Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Scanning Activity'
  asset_type:GCP Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  mitre_attack_id:
    - 'T1526'
  observable:
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'category'
    - 'responseStatus.code'
    - 'sourceIPs{}'
    - 'userAgent'
    - 'verb'
    - 'requestURI'
    - 'responseStatus.reason'
    - 'properties.pod'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None

Related Analytic Stories


Kubernetes Scanning Activity

© 2024 DetectionCode Website. All Rights Reserved.