Try in Splunk Security Cloud

Description

This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-05-20
  • Author: Rod Soto, Splunk
  • ID: 8b3984d2-17b6-47e9-ba43-a3376e70fdcc

Narrative

Kubernetes is the most used container orchestration platform, this orchestration platform contains sensitive roles within its architecture, specifically configmaps and secrets, if accessed by an attacker can lead to further compromise. These searches allow operator to detect suspicious requests against Kubernetes role activities

Detections

Name Technique Type
Kubernetes AWS detect most active service accounts by pod None Hunting
Kubernetes AWS detect RBAC authorization by account None Hunting
Kubernetes AWS detect sensitive role access None Hunting
Kubernetes Azure active service accounts by pod namespace None Hunting
Kubernetes Azure detect RBAC authorization by account None Hunting
Kubernetes Azure detect sensitive role access None Hunting
Kubernetes GCP detect RBAC authorizations by account None Hunting
Kubernetes GCP detect most active service accounts by pod None Hunting
Kubernetes GCP detect sensitive role access None Hunting

Reference

source | version: 1