Kubernetes GCP detect most active service accounts by pod

Name:Kubernetes GCP detect most active service accounts by pod
id:7f5c2779-88a0-4824-9caa-0f606c8f260f
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision
Data_source:

search:`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts
| table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource
| top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`

how_to_implement:You must install splunk GCP add on. This search works with pubsub messaging service logs
known_false_positives:Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Role Activity'
  asset_type:GCP GKE Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  observable:
    name:'src_user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None