Navigation :
Kubernetes AWS Detect Suspicious Kubectl Calls
Description
This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context
Content Mapping
This content is not mapped to any local saved search. Add mapping
Use Case
Security Monitoring
Category
Adversary Tactics
Alert Volume
This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context
SPL Difficulty
None
Journey
Stage 3
Data Sources
AWS
Audit Trail
Help |
---|
Kubernetes AWS Detect Suspicious Kubectl Calls HelpYou must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs. |
Search |
---|
`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous | table src_ip src_user verb userAgent requestURI | stats count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter` Open in Search |