Navigation :

Amazon EKS Kubernetes Cluster Scan Detection

Description

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Cloud Security

Alert Volume

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Discovery

MITRE ATT&CK Techniques

Cloud Service Discovery

Cloud Service Discovery

Kill Chain Phases

Reconnaissance

Data Sources

AWS
Audit Trail

   Help

Amazon EKS Kubernetes Cluster Scan Detection Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.

   Search

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`
Open in Search