Skip to main content
Splunk Lantern

Detecting Kubernetes scanning activity

Kubernetes is the most used container orchestration platform. It contains sensitive information and management privileges of production workloads, microservices, and applications. You need to defend your organization against Kubernetes cluster fingerprint scans and attacks by providing information on items such as source IP addresses, user agents, and cluster names when scans are detected. The Splunk Security Research team developed this use case to help you detect suspicious unauthenticated requests from the internet to a Kubernetes cluster. 

Required data

How to use Splunk software for this use case

You can run many searches with Splunk software to detect Kubernetes scanning activity. Depending on what information you have available, you might find it useful to identify some or all of the following: 

Next steps

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

Measuring impact and benefit is critical to assessing the value of detecting Kubernetes scanning activity. The following are example metrics that can be useful to monitor when implementing this use case:

  • Less unauthenticated traffic to sensitive URLs: The provided detections provide an understanding of the HTTP API traffic your cluster is seeing that is unauthenticated 
  • Identified presence of scanning tools: Tools such as Zgrap or Nmap are usually clear indicators of suspicious activity.

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, these Splunk resources might help you understand and implement this use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.