Kubernetes Scanner Image Pulling
Description
This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-08-24
- Author: Patrick Bareiss, Splunk
- ID: 4890cd6b-0112-4974-a272-c5c153aee551
Annotations
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1526 | Cloud Service Discovery | Discovery |
Kill Chain Phase
- Actions on Objectives
NIST
- PR.DS
- PR.AC
- DE.CM
CIS20
- CIS 13
CVE
Search
1
2
3
4
5
6
7
8
9
10
`kube_objects_events` object.message IN ("Pulling image *kube-hunter*", "Pulling image *kube-bench*", "Pulling image *kube-recon*", "Pulling image *kube-recon*")
| rename object.* AS *
| rename involvedObject.* AS *
| rename source.host AS host
| eval phase="operate"
| eval severity="high"
| stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `kubernetes_scanner_image_pulling_filter`
Macros
The SPL above uses the following Macros:
Note that kubernetes_scanner_image_pulling_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- object.message
- source.host
- object.involvedObject.name
- object.involvedObject.namespace
- object.involvedObject.kind
- object.message
- object.reason
How To Implement
You must ingest Kubernetes logs through Splunk Connect for Kubernetes.
Known False Positives
unknown
Associated Analytic story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 81.0 | 90 | 90 | Kubernetes Scanner image pulled on host $host$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1