Analytics Story: Kubernetes Sensitive Role Activity

Description

This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.

Why it matters

Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Kubernetes AWS detect most active service accounts by pod None Hunting
Kubernetes AWS detect RBAC authorization by account None Hunting
Kubernetes AWS detect sensitive role access None Hunting
Kubernetes Azure active service accounts by pod namespace None Hunting
Kubernetes Azure detect RBAC authorization by account None Hunting
Kubernetes Azure detect sensitive role access None Hunting
Kubernetes GCP detect most active service accounts by pod None Hunting
Kubernetes GCP detect RBAC authorizations by account None Hunting
Kubernetes GCP detect sensitive role access None Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼

References


Source: GitHub | Version: 1