Kubernetes Sensitive Role Activity
Description
This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-05-20
- Author: Rod Soto, Splunk
- ID: 8b3984d2-17b6-47e9-ba43-a3376e70fdcc
Narrative
Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities
Detections
| Name | Technique | Type |
|---|---|---|
| Kubernetes AWS detect most active service accounts by pod | None | Hunting |
| Kubernetes AWS detect RBAC authorization by account | None | Hunting |
| Kubernetes AWS detect sensitive role access | None | Hunting |
| Kubernetes Azure active service accounts by pod namespace | None | Hunting |
| Kubernetes Azure detect RBAC authorization by account | None | Hunting |
| Kubernetes Azure detect sensitive role access | None | Hunting |
| Kubernetes GCP detect RBAC authorizations by account | None | Hunting |
| Kubernetes GCP detect most active service accounts by pod | None | Hunting |
| Kubernetes GCP detect sensitive role access | None | Hunting |
Reference
source | version: 1