Name:Kubernetes Azure detect service accounts forbidden failure access id:019690d7-420f-4da0-b320-f27b09961514 version:3 date:2024-10-17 author:Rod Soto, Splunk status:deprecated type:Hunting Description:This search provides information on Kubernetes service accounts with failure or forbidden access status Data_source:
how_to_implement:You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics known_false_positives:This search can give false positives as there might be inherent issues with authentications and permissions at cluster. References: drilldown_searches:
: tags: analytic_story: - 'Kubernetes Sensitive Object Access Activity' asset_type:Azure AKS Kubernetes cluster confidence:50 impact:50 message:tbd observable: name:'user.username' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:threat
