Skip to main content


Splunk Lantern

Detecting Kubernetes scanning activity


Kubernetes is the most used container orchestration platform. It contains sensitive information and management privileges of production workloads, microservices, and applications. You need to defend your organization against Kubernetes cluster fingerprint scans and attacks by providing information on items such as source IP addresses, user agents, and cluster names when scans are detected. 

Required data

How to use Splunk software for this use case

To deploy this use case, you need to import the Splunk ES Content Updates into your Splunk Security Essentials or Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. Some of the detections that can help you with this use case include:

Next steps

To maximize their benefit, the searches above likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

Measuring impact and benefit is critical to assessing the value of detecting Kubernetes scanning activity. The following are example metrics that can be useful to monitor when implementing this use case:

  • Less unauthenticated traffic to sensitive URLs: The provided detections provide an understanding of the HTTP API traffic your cluster is seeing that is unauthenticated 
  • Identified presence of scanning tools: Tools such as Zgrap or Nmap are usually clear indicators of suspicious activity.

In addition, these Splunk resources might help you understand and implement this use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.