Kubernetes GCP detect service accounts forbidden failure access

Name:Kubernetes GCP detect service accounts forbidden failure access
id:7094808d-432a-48e7-bb3c-77e96c894f3b
version:3
date:2024-10-17
author:Rod Soto, Splunk
status:deprecated
type:Hunting
Description:This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI
Data_source:

search:`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=*
| table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision
| dedup src_ip src_user
| `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`

how_to_implement:You must install splunk add on for GCP. This search works with pubsub messaging service logs.
known_false_positives:This search can give false positives as there might be inherent issues with authentications and permissions at cluster.
References:
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Kubernetes Sensitive Object Access Activity'
  asset_type:GCP GKE Kubernetes cluster
  confidence:50
  impact:50
  message:tbd
  observable:
    name:'src_user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
  risk_score:25
  security_domain:threat

tests:
  :
manual_test:None