Kubernetes Azure active service accounts by pod namespace

Name:Kubernetes Azure active service accounts by pod namespace
id:55a2264a-b7f0-45e5-addd-1e5ab3415c72
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb
Data_source:

search:`kubernetes_azure` category=kube-audit
| spath input=properties.log
| search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow
| table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace
| top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`

how_to_implement:You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics
known_false_positives:Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Role Activity'
  asset_type:Azure AKS Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  observable:
    name:'user.username'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None