Name:GCP Kubernetes cluster pod scan detection id:19b53215-4a16-405b-8087-9e6acf619842 version:4 date:2024-11-14 author:Rod Soto, Splunk status:experimental type:Hunting Description:The following analytic identifies unauthenticated requests to Kubernetes cluster pods. It detects this activity by analyzing GCP Pub/Sub messages for audit logs where the response status code is 401, indicating unauthorized access attempts. This activity is significant for a SOC because it may indicate reconnaissance or scanning attempts by an attacker trying to identify vulnerable pods. If confirmed malicious, this activity could lead to unauthorized access, allowing the attacker to exploit vulnerabilities within the cluster, potentially compromising sensitive data or gaining control over the Kubernetes environment. Data_source:
how_to_implement:You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. known_false_positives:Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context. References: drilldown_searches:
: tags: analytic_story: - 'Kubernetes Scanning Activity' asset_type:GCP Kubernetes cluster mitre_attack_id: - 'T1526' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat
