Kubernetes AWS detect service accounts forbidden failure access

Name:Kubernetes AWS detect service accounts forbidden failure access
id:a6959c57-fa8f-4277-bb86-7c32fba579d5
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI
Data_source:

search:`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure
| table sourceIPs{} user.username userAgent verb responseStatus.status requestURI
| `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`

how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.
known_false_positives:This search can give false positives as there might be inherent issues with authentications and permissions at cluster.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Object Access Activity'
  asset_type:AWS EKS Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  observable:
    name:'sourceIPs{}'
    type:'IP Address'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None