Navigation :

Kubernetes AWS Detect Suspicious Kubectl Calls

Description

This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring

Alert Volume

This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context

SPL Difficulty

None

Journey

Stage 3

Data Sources

AWS

Audit Trail

Help
Kubernetes AWS Detect Suspicious Kubectl Calls Help You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.

Help

Kubernetes AWS Detect Suspicious Kubectl Calls Help

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.

Search
`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous \| table src_ip src_user verb userAgent requestURI \| stats count by src_ip src_user verb userAgent requestURI \|`kubernetes_aws_detect_suspicious_kubectl_calls_filter` Open in Search

Search

`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous  | table  src_ip src_user verb userAgent requestURI  | stats  count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`

Open in Search