Kubernetes AWS detect RBAC authorization by account

Name:Kubernetes AWS detect RBAC authorization by account
id:de7264ed-3ed9-4fef-bb01-6eefc87cefe8
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences
Data_source:

search:`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=*
| table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason
| stats count by user.username annotations.authorization.k8s.io/reason
| rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`

how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs
known_false_positives:Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Role Activity'
  asset_type:AWS EKS Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  observable:
    name:'user.username'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None