Try in Splunk Security Cloud

Description

This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-05-20
  • Author: Rod Soto, Splunk
  • ID: 2574e6d9-7254-4751-8925-0447deeec8ea

Narrative

Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive objects within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes sensitive objects.

Detections

Name Technique Type
Kubernetes AWS detect suspicious kubectl calls   Hunting

Reference

source | version: 1