⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search provides detection information on unauthenticated requests against Kubernetes' Pods API

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-04-15
  • Author: Rod Soto, Splunk
  • ID: dbfca1dd-b8e5-4ba4-be0e-e565e5d62002

ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery
`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" 
| rename source as cluster_name sourceIPs{} as src_ip 
| stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `amazon_eks_kubernetes_pod_scan_detection_filter` 

Associated Analytic Story

How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the kubernetes_pods_aws_scan_fingerprint_detection macro to filter out the false positives.

Required field

  • _time
  • user.username
  • verb
  • objectRef.resource
  • requestURI
  • source
  • sourceIPs{}
  • responseStatus.reason
  • responseStatus.code
  • userAgent
  • src_ip
  • user.groups{}

Kill Chain Phase

  • Reconnaissance

Known False Positives

Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1