Navigation :
Kubernetes GCP Detect Suspicious Kubectl Calls
Description
This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context
Content Mapping
This content is not mapped to any local saved search. Add mapping
Use Case
Security Monitoring
Category
Adversary Tactics
Alert Volume
This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context
SPL Difficulty
None
Journey
Stage 3
Data Sources
GCP
Audit Trail
Help |
---|
Kubernetes GCP Detect Suspicious Kubectl Calls HelpYou must install splunk add on for GCP. This search works with pubsub messaging logs. |
Search |
---|
`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter` Open in Search |