Image From New Repository Detected
Description
Detect the presence of an Image created from a Repository not seen in your Kubernetes environment before.
Content Mapping
This content is not mapped to any local saved search. Add mapping
How to Implement |
---|
Implementation of this example (or any of the First Time Seen examples) is generally very simple.
For this search, it is recommended it is run every hour but this can be changed to a less frequent schedule. . |
Known False Positives |
---|
This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. This search is designed to find older versions of Mimikatz (or other tools with similar techniques), and is not known to have any other false positives. |
How To Respond |
---|
When this search returns values, initiate your incident response process and identify the owner of the Container and check if the usage of a completely new Repository of warranted. New Repositories should only rarely appear in a production environment. |
Help |
---|
Image From New Repository Detected HelpThis example leverages the Simple search assistant. Here we start with a dataset of Splunk Connect for Kubernetes Pod logs. These logs are generated from the Pods themselves and reveals the image, container and repository information. This search might look a bit complicated but it is rather simple, we search the data for the last 1 hour, append the current baseline stored in the csv file image_from_new_respository_detected_baseline.csv. Then we calculate the first and last time we saw the repository based on the latest values and the baseline that we appended. At the end of the search we write back to the baseline file and mark any outliers so we can alert whenever the search returns something. There's also some logic that excludes the alerts if we don't have a baseline created and if the baseline is newer than two hours. This is to prevent outliers being created when you first run the search. . |
SPL for Image From New Repository Detected
Live Data
| Here we start with a dataset of Splunk Connect for Kubernetes Pod logs. These logs are generated from the Pods themselves and reveals the image, container and repository information. This search might look a bit complicated but it is rather simple, we search the data for the last 1 hour, append the current baseline stored in the csv file image_from_new_respository_detected_baseline.csv. Then we calculate the first and last time we saw the repository based on the latest values and the baseline that we appended. At the end of the search we write back to the baseline file and mark any outliers so we can alert whenever the search returns something. There's also some logic that excludes the alerts if we don't have a baseline created and if the baseline is newer than two hours. This is to prevent outliers being created when you first run the search. |