Name:GCP Kubernetes cluster scan detection id:db5957ec-0144-4c56-b512-9dccbe7a2d26 version:3 date:2024-10-17 author:Rod Soto, Splunk status:deprecated type:TTP Description:This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster Data_source:
search:`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 "data.labels.authorization.k8s.io/decision"=forbid "data.protoPayload.status.message"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail="system:anonymous" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name| `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter`
how_to_implement:You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs. known_false_positives:Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context. References: drilldown_searches:
: tags: analytic_story: - 'Kubernetes Scanning Activity' asset_type:GCP Kubernetes cluster confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1526' observable: name:'src_ip' type:'IP Address' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:threat
