Skip to main content

Most active Kubernetes service accounts

  • Updated

You might want information about activity levels of Kubernetes service accounts when doing the following:

Prerequisites 

In order to execute this procedure in your environment, you may need to first on-board the services or apps shown in the following table.

Category

Name

Importance

Service

Kubernetes

Required

Add-on

Splunk Add-on for Amazon Web Services

Required

App

Splunk App for AWS

Required

Add-on

Splunk Add-on for Microsoft Cloud Services

Required

Add-on

Splunk Add-on for Google Cloud Platform

Required

 

Example

The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source. 

Service accounts are prime targets for attackers as they may present the opportunity to obtain credentials and move across all the resources they access. You want to investigate the most active Kubernetes service accounts for each pod to determine if their activities represent a threat. 

AWS

  1. Ensure that your deployment is ingesting CloudWatch logs.
  2. Run the following search: 
`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts  objectRef.resource=pods 
|table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision  
|top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

`aws_cloudwatchlogs_eks` 

Run a macro to search AWS EKS Kubernetes data.

Note: The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

user.groups{}=system:serviceaccounts  

Search the service accounts user group.

objectRef.resource=pods

Search your Kubernetes pods data.

|table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision  

Display the results in a table with columns in the order shown.

|top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision 

Show the most active (by count and percentage) IP addresses, usernames, and request verbs (for example, list) with the respective decision (for example, deny or forbid).

|`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`  

Run this macro to speed up the search.

 

Azure

  1. Ensure that you have configured Kube-Audit data diagnostics.
  2. Run the following search: 
`kubernetes_azure` category=kube-audit 
|spath input=properties.log 
|search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow  
|table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace 
|top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter`

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

`kubernetes_azure` 

This indicates the source type as Azure kube-audit data from Microsoft Cloud Add On 

category=kube-audit

Search the data source kube-audit from the diagnostic logs in Azure Cloud services.

|spath input=properties.log 

Extract fields from the properties Kube-Audit log.

|search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow  

Search the service account user group or anonymous access or any requests with allow decisions.

|table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace 

Display the results in a table with columns in the order shown.

|top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace 

Show the most active (by count and percentage) source IP addresses, usernames, request verbs (for example, list), response statuses, pods and namespaces.

|`kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter` 

Run this macro to speed up the search.

 

GCP

  1. Ensure that your deployment is ingesting Pub/Sub messaging logs.
  2. Run the following search:
`google_gcp_pubsub_message`  data.protoPayload.request.spec.group{}=system:serviceaccounts 
|table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource 
|top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

`google_gcp_pubsub_message`  

Run a macro to search GCP Pub/Sub Kubernetes data.


Note: The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

data.protoPayload.request.spec.group{}=system:serviceaccounts

Search the service account user group.

|table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource

Display the results in a table with columns in the order shown.

|top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource 

Show the most active (by count and percentage) source IP addresses, users, user agents, and the respective decisions on targeted resources. 

|`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`

Run this macro to speed up the search.

 

Result

Not all service accounts interactions are malicious. Analysts must consider IP address, verb, and decision context when trying to detect maliciousness. Service accounts are usually created for specific tasks, so a number of unusual failures, deny statuses, or forbidden statuses may indicate suspicious activity. IP addresses must be restricted by security groups or allow/deny policies, unless a cluster API must be exposed. 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.