Name:Kubernetes Azure pod scan fingerprint id:86aad3e0-732f-4f66-bbbc-70df448e461d version:3 date:2024-10-17 author:Rod Soto, Splunk status:deprecated type:Hunting Description:This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure Data_source:
how_to_implement:You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics known_false_positives:Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. References: drilldown_searches:
: tags: analytic_story: - 'Kubernetes Scanning Activity' asset_type:Azure AKS Kubernetes cluster confidence:50 impact:50 message:tbd observable: name:'sourceIPs{}' type:'IP Address' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:threat
