Kubernetes Azure detect suspicious kubectl calls

Name:Kubernetes Azure detect suspicious kubectl calls
id:4b6d1ba8-0000-4cec-87e6-6cbbd71651b5
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on rare Kubectl calls with IP, verb namespace and object access context
Data_source:

search:`kubernetes_azure` category=kube-audit
| spath input=properties.log
| spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration
| search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1
| table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI
| rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`

how_to_implement:You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics
known_false_positives:Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Object Access Activity'
  asset_type:Azure AKS Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  observable:
    name:'sourceIPs{}'
    type:'IP Address'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None