Analytics Story: Kubernetes Scanning Activity

Date: 2020-04-15 ID: a9ef59cf-e981-4e66-9eef-bb049f695c09 Author: Rod Soto, Splunk Product: Splunk Enterprise Security

Description

This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.

Why it matters

Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Amazon EKS Kubernetes cluster scan detection	Cloud Service Discovery	Hunting
Amazon EKS Kubernetes Pod scan detection	Cloud Service Discovery	Hunting
GCP Kubernetes cluster pod scan detection	Cloud Service Discovery	Hunting
GCP Kubernetes cluster scan detection	Cloud Service Discovery	TTP
Kubernetes Azure pod scan fingerprint	None	Hunting
Kubernetes Azure scan fingerprint	Cloud Service Discovery	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼

References

https://github.com/splunk/cloud-datamodel-security-research

Source: GitHub | Version: 1