Name:Kubernetes Azure scan fingerprint id:c5e5bd5c-1013-4841-8b23-e7b3253c840a version:4 date:2024-11-14 author:Rod Soto, Splunk status:deprecated type:Hunting Description:This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure Data_source:
how_to_implement:You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics known_false_positives:Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context. References: drilldown_searches:
: tags: analytic_story: - 'Kubernetes Scanning Activity' asset_type:Azure AKS Kubernetes cluster mitre_attack_id: - 'T1526' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat
