GitHub Repo

Data Source: Kubernetes Audit

Date: 2025-01-23

ID: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699

Author: Patrick Bareiss, Splunk

Description

Logs activities within a Kubernetes cluster, including API server requests, resource access, configuration changes, and user authentication events.

Details

Property Value
Source kubernetes
Sourcetype _json
Name ▲▼ Technique ▲▼ Type ▲▼
Kubernetes Abuse of Secret by Unusual Location Container API Anomaly
Kubernetes Abuse of Secret by Unusual User Agent Container API Anomaly
Kubernetes Abuse of Secret by Unusual User Group Container API Anomaly
Kubernetes Abuse of Secret by Unusual User Name Container API Anomaly
Kubernetes Access Scanning Network Service Discovery Anomaly
Kubernetes AWS detect suspicious kubectl calls None Anomaly
Kubernetes Create or Update Privileged Pod User Execution Anomaly
Kubernetes Cron Job Creation Container Orchestration Job Anomaly
Kubernetes DaemonSet Deployed User Execution Anomaly
Kubernetes Node Port Creation User Execution Anomaly
Kubernetes Pod Created in Default Namespace User Execution Anomaly
Kubernetes Pod With Host Network Attachment User Execution Anomaly
Kubernetes Scanning by Unauthenticated IP Address Network Service Discovery Anomaly
Kubernetes Suspicious Image Pulling Cloud Service Discovery Anomaly
Kubernetes Unauthorized Access User Execution Anomaly

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">annotations.authorization.k8s.io/decision</span>
  
  <span class="pill kill-chain">annotations.authorization.k8s.io/reason</span>
  
  <span class="pill kill-chain">apiVersion</span>
  
  <span class="pill kill-chain">auditID</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">kind</span>
  
  <span class="pill kill-chain">level</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">objectRef.apiGroup</span>
  
  <span class="pill kill-chain">objectRef.apiVersion</span>
  
  <span class="pill kill-chain">objectRef.namespace</span>
  
  <span class="pill kill-chain">objectRef.resource</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">requestReceivedTimestamp</span>
  
  <span class="pill kill-chain">requestURI</span>
  
  <span class="pill kill-chain">responseObject.apiVersion</span>
  
  <span class="pill kill-chain">responseObject.code</span>
  
  <span class="pill kill-chain">responseObject.details.group</span>
  
  <span class="pill kill-chain">responseObject.details.kind</span>
  
  <span class="pill kill-chain">responseObject.kind</span>
  
  <span class="pill kill-chain">responseObject.message</span>
  
  <span class="pill kill-chain">responseObject.reason</span>
  
  <span class="pill kill-chain">responseObject.status</span>
  
  <span class="pill kill-chain">responseStatus.code</span>
  
  <span class="pill kill-chain">responseStatus.details.group</span>
  
  <span class="pill kill-chain">responseStatus.details.kind</span>
  
  <span class="pill kill-chain">responseStatus.message</span>
  
  <span class="pill kill-chain">responseStatus.reason</span>
  
  <span class="pill kill-chain">responseStatus.status</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourceIPs{}</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">stage</span>
  
  <span class="pill kill-chain">stageTimestamp</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">user.groups{}</span>
  
  <span class="pill kill-chain">user.uid</span>
  
  <span class="pill kill-chain">user.username</span>
  
  <span class="pill kill-chain">userAgent</span>
  
  <span class="pill kill-chain">verb</span>
  
</div>

Example Log

1{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:111111111111:AROAYTXXXXXXHNXXXXX","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2 (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"requestReceivedTimestamp":"2023-12-07T14:44:53.358394Z","stageTimestamp":"2023-12-07T14:44:53.375985Z","annotations":{"authorization.k8s.io/decision":"forbid","authorization.k8s.io/reason":""}}

Source: GitHub | Version: 2