Navigation :

Image From New Repository Detected

Description

Detect the presence of an Image created from a Repository not seen in your Kubernetes environment before.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection, Compliance

Security Impact

If an attacker manages to get access to your cluster he is likely to spin up new containers that contain either hacker tools or utilities or that contain cryptocurrency mining software. New repositories should only rarely appear in your production environment so the alert volume and false positive rate should be low. This detection leverages a baseline stored in a lookup to maintain the performance over longer time periods. By default the baseline is stored for 30 days.

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Impact

MITRE ATT&CK Techniques

Resource Hijacking

MITRE Threat Groups

APT41

Blue Mockingbird

Lazarus Group

Rocke

Kill Chain Phases

Installation

Actions On Objectives

Data Sources

Audit Trail

Kubernetes

How to Implement
Implementation of this example (or any of the First Time Seen examples) is generally very simple. Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted. Save the search. For this search, it is recommended it is run every hour but this can be changed to a less frequent schedule. .

How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
Save the search.

For this search, it is recommended it is run every hour but this can be changed to a less frequent schedule. .

Known False Positives
This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. This search is designed to find older versions of Mimikatz (or other tools with similar techniques), and is not known to have any other false positives.

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This search is designed to find older versions of Mimikatz (or other tools with similar techniques), and is not known to have any other false positives.

How To Respond
When this search returns values, initiate your incident response process and identify the owner of the Container and check if the usage of a completely new Repository of warranted. New Repositories should only rarely appear in a production environment.

Help
Image From New Repository Detected Help This example leverages the Simple search assistant. Here we start with a dataset of Splunk Connect for Kubernetes Pod logs. These logs are generated from the Pods themselves and reveals the image, container and repository information. This search might look a bit complicated but it is rather simple, we search the data for the last 1 hour, append the current baseline stored in the csv file image_from_new_respository_detected_baseline.csv. Then we calculate the first and last time we saw the repository based on the latest values and the baseline that we appended. At the end of the search we write back to the baseline file and mark any outliers so we can alert whenever the search returns something. There's also some logic that excludes the alerts if we don't have a baseline created and if the baseline is newer than two hours. This is to prevent outliers being created when you first run the search. .

Help

Image From New Repository Detected Help

This example leverages the Simple search assistant. Here we start with a dataset of Splunk Connect for Kubernetes Pod logs. These logs are generated from the Pods themselves and reveals the image, container and repository information. This search might look a bit complicated but it is rather simple, we search the data for the last 1 hour, append the current baseline stored in the csv file image_from_new_respository_detected_baseline.csv. Then we calculate the first and last time we saw the repository based on the latest values and the baseline that we appended. At the end of the search we write back to the baseline file and mark any outliers so we can alert whenever the search returns something. There's also some logic that excludes the alerts if we don't have a baseline created and if the baseline is newer than two hours. This is to prevent outliers being created when you first run the search. .

SPL for Image From New Repository Detected

Live Data

index=* sourcetype=kube:objects:pods image earliest=-1h@h latest=now| fields _time sourcetype metadata.namespace spec.containers{}.name spec.serviceAccount spec.containers{}.name spec.containers{}.image object.message status.hostIP status.podIP status.phase Repository| rename     metadata.namespace AS Namespace     spec.serviceAccount AS "Service Account"     spec.containers{}.name AS Container    spec.containers{}.image AS Image    object.message AS "Event Message"    status.hostIP AS host    status.podIP AS dest_ip    status.phase AS Status| rex field=Image "(?<Repository>[^/]*)/.*"| table _time Container Image Repository Namespace "Service Account" Status host dest_ip| eval comment="Append the baseline"| inputlookup append=T image_from_new_respository_detected_baseline| eventstats count(isOutlier) AS baselinesCount, max(eval('Last time seen' - 'First time seen')) AS baselinesAge| stats earliest(_time) as earliest,latest(_time) as latest, values(Container) AS Container, values(Image) AS Image, values(Namespace) AS Namespace, values("Service Account") AS "Service Account", values(Status) AS Status, values(host) AS host, values(dest_ip) AS dest_ip,max(baselinesCount) AS baselinesCount,max(baselinesAge) AS baselinesAge BY Repository| eval _time=earliest| eval maxlatest=now() | eval comment="If there is a new Repository found and the baselines have been generated we mark it as an outlier "| eval isOutlier=if(earliest >= relative_time(maxlatest, "-1h@h") AND (baselinesCount>0 AND baselinesAge>=7200), 1, 0)| fields - maxlatest| rename earliest AS "First time seen", latest AS "Last time seen"| table _time baselines* "First time seen" "Last time seen" isOutlier Repository Image Container  Namespace "Service Account" Status host dest_ip| eval comment="Only keep baseline of last 30 days"| where 'Last time seen'>= relative_time(now(), "-30d@d")| eval comment="Save new results back to baseline"| fields - baselines* comment| outputlookup output_format=splunk_mv_csv image_from_new_respository_detected_baseline | convert ctime("First time seen"),ctime("Last time seen") | where isOutlier=1

Here we start with a dataset of Splunk Connect for Kubernetes Pod logs. These logs are generated from the Pods themselves and reveals the image, container and repository information. This search might look a bit complicated but it is rather simple, we search the data for the last 1 hour, append the current baseline stored in the csv file image_from_new_respository_detected_baseline.csv. Then we calculate the first and last time we saw the repository based on the latest values and the baseline that we appended. At the end of the search we write back to the baseline file and mark any outliers so we can alert whenever the search returns something. There's also some logic that excludes the alerts if we don't have a baseline created and if the baseline is newer than two hours. This is to prevent outliers being created when you first run the search.