Analytics Story: Kubernetes Sensitive Role Activity
Description
This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.
Why it matters
Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities
Detections
| Name | Technique | Type |
|---|---|---|
| Kubernetes AWS detect most active service accounts by pod | None | Hunting |
| Kubernetes AWS detect RBAC authorization by account | None | Hunting |
| Kubernetes AWS detect sensitive role access | None | Hunting |
| Kubernetes Azure active service accounts by pod namespace | None | Hunting |
| Kubernetes Azure detect RBAC authorization by account | None | Hunting |
| Kubernetes Azure detect sensitive role access | None | Hunting |
| Kubernetes GCP detect most active service accounts by pod | None | Hunting |
| Kubernetes GCP detect RBAC authorizations by account | None | Hunting |
| Kubernetes GCP detect sensitive role access | None | Hunting |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|
References
Source: GitHub | Version: 1