Try in Splunk Security Cloud

Description

This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • Last Updated: 2020-04-15
  • Author: Rod Soto, Splunk
  • ID: a9ef59cf-e981-4e66-9eef-bb049f695c09

Narrative

Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitve information and management priviledges of production workloads, microservices and applications. These searches allow operator to detect suspicious unauthenticated requests from the internet to kubernetes cluster.

Detections

Name Technique Type
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery Hunting
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery Hunting
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting
GCP Kubernetes cluster scan detection Cloud Service Discovery TTP
Kubernetes Azure pod scan fingerprint   Hunting
Kubernetes Azure scan fingerprint Cloud Service Discovery Hunting

Reference

source | version: 1