Kubernetes Azure active service accounts by pod namespace
Description
This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb
- Type: Hunting
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-05-26
- Author: Rod Soto, Splunk
- ID: 55a2264a-b7f0-45e5-addd-1e5ab3415c72
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
CIS20
CVE
Search
1
2
3
4
5
6
`kubernetes_azure` category=kube-audit
| spath input=properties.log
| search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow
| table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace
| top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace
|`kubernetes_azure_active_service_accounts_by_pod_namespace_filter`
Macros
The SPL above uses the following Macros:
Note that kubernetes_azure_active_service_accounts_by_pod_namespace_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required field
- _time
How To Implement
You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics
Known False Positives
Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.
Associated Analytic story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 25.0 | 50 | 50 | tbd |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1