You might want information about activity levels of Kubernetes service accounts when doing the following:
Prerequisites
In order to execute this procedure in your environment, you may need to first on-board the services or apps shown in the following table.
|
Category |
Name |
Importance |
|
Service |
Kubernetes |
Required |
|
Add-on |
Required |
|
|
App |
Required |
|
|
Add-on |
Required |
|
|
Add-on |
Required |
Example
The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source.
Service accounts are prime targets for attackers as they may present the opportunity to obtain credentials and move across all the resources they access. You want to investigate the most active Kubernetes service accounts for each pod to determine if their activities represent a threat.
AWS
- Ensure that your deployment is ingesting CloudWatch logs.
- Run the following search:
sourcetype="aws:cloudwatchlogs:eks" user.groups{}=system:serviceaccounts objectRef.resource=pods
|table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision
|top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype="aws:cloudwatchlogs:eks" |
Search only AWS EKS Kubernetes data. |
|
user.groups{}=system:serviceaccounts |
Search the service accounts user group. |
|
objectRef.resource=pods |
Search your Kubernetes pods data. |
|
|table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision |
Display the results in a table with columns in the order shown. |
|
|top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |
Show the most active (by count and percentage) IP addresses, usernames, and request verbs (for example, list) with the respective decision (for example, deny or forbid). |
Azure
- Ensure that you have configured Kube-Audit data diagnostics.
- Run the following search:
sourcetype=mscs:storage:blob:json category=kube-audit
|spath input=properties.log
|search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow
|table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace
|top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype:mscs:storage:blob:json |
Search the source type mscs:storage:blob:json. |
|
category=kube-audit |
Search the data source kube-audit from the diagnostic logs in Azure Cloud services. |
|
|spath input=properties.log |
Extract fields from the properties Kube-Audit log. |
|
|search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |
Search the service account user group or anonymous access or any requests with allow decisions. |
|
|table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |
Display the results in a table with columns in the order shown. |
|
|top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |
Show the most active (by count and percentage) source IP addresses, usernames, request verbs (for example, list), response statuses, pods and namespaces. |
GCP
- Ensure that your deployment is ingesting Pub/Sub messaging logs.
- Run the following search:
sourcetype="google:gcp:pubsub:message" data.protoPayload.request.spec.group{}=system:serviceaccounts
|table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource
|top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource
Search Explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype="google:gcp:pubsub:message" |
Search only GCP Pub/Sub messages. |
|
data.protoPayload.request.spec.group{}=system:serviceaccounts |
Search the service account user group. |
|
|table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |
Display the results in a table with columns in the order shown. |
|
|top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |
Show the most active (by count and percentage) source IP addresses, users, user agents, and the respective decisions on targeted resources. |
Result
Not all service accounts interactions are malicious. Analysts must consider IP address, verb, and decision context when trying to detect maliciousness. Service accounts are usually created for specific tasks, so a number of unusual failures, deny statuses, or forbidden statuses may indicate suspicious activity. IP addresses must be restricted by security groups or allow/deny policies, unless a cluster API must be exposed.
For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub for AWS, Azure, or GCP.
Comments
0 comments
Please sign in to leave a comment.