Name:Kubernetes AWS detect service accounts forbidden failure access id:a6959c57-fa8f-4277-bb86-7c32fba579d5 version:4 date:2024-11-14 author:Rod Soto, Splunk status:deprecated type:Hunting Description:This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI Data_source:
how_to_implement:You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. known_false_positives:This search can give false positives as there might be inherent issues with authentications and permissions at cluster. References: drilldown_searches:
: tags: analytic_story: - 'Kubernetes Sensitive Object Access Activity' asset_type:AWS EKS Kubernetes cluster product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat
