Try in Splunk Security Cloud

Description

This search uses the Kubernetes logs from Splunk Connect from Kubernetes to detect Kubernetes Security Scanner.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-08-24
  • Author: Patrick Bareiss, Splunk
  • ID: 4890cd6b-0112-4974-a272-c5c153aee551

ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery
`kube_objects_events` object.message IN ("Pulling image *kube-hunter*", "Pulling image *kube-bench*", "Pulling image *kube-recon*", "Pulling image *kube-recon*") 
| rename object.* AS * 
| rename involvedObject.* AS * 
| rename source.host AS host 
| eval phase="operate" 
| eval severity="high" 
| stats min(_time) as firstTime max(_time) as lastTime count by host, name, namespace, kind, reason, message, phase, severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `kubernetes_scanner_image_pulling_filter`

Associated Analytic Story

How To Implement

You must ingest Kubernetes logs through Splunk Connect for Kubernetes.

Required field

  • object.message
  • source.host
  • object.involvedObject.name
  • object.involvedObject.namespace
  • object.involvedObject.kind
  • object.message
  • object.reason

Kill Chain Phase

  • Actions on Objectives

Known False Positives

unknown

RBA

Risk Score Impact Confidence Message
81.0 90 90 Kubernetes Scanner image pulled on host $host$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1