Kubernetes GCP detect sensitive object access

Original Source: [splunk source]

Name:Kubernetes GCP detect sensitive object access
id:bdb6d596-86a0-4aba-8369-418ae8b9963a
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets
Data_source:

search:`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets
| table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision
| dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`

how_to_implement:You must install splunk add on for GCP . This search works with pubsub messaging service logs.
known_false_positives:Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.
References:
drilldown_searches:
:
tags:
analytic_story:
- 'Kubernetes Sensitive Object Access Activity'
asset_type:GCP GKE Kubernetes cluster
confidence:50
impact:50
message:tbd
observable:
name:'src_user'
type:'User'
- role:
- 'Victim'
product:
- 'Splunk Enterprise'
- 'Splunk Enterprise Security'
- 'Splunk Cloud'
required_fields:
- '_time'
risk_score:25
security_domain:threat

tests:
:
manual_test:None

Sign Up to Personalize and Manage Your Detection

Kubernetes GCP detect sensitive object access

Related Analytic Stories