Suspicious Container Image Name
Description
This search looks for image creation events in Kubernetes Audit logs and compares the image names against a known list of names that is likely to be suspicious. This technique is particularly useful for cryptomining attacks.
Content Mapping
This content is not mapped to any local saved search. Add mapping
How to Implement |
---|
Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this search should work automatically for you without issue. While implementing, make sure you follow the best practice of specifying the index for your data. |
Known False Positives |
---|
This search should trigger very few false positives, because it's filtered to just very specific events. The keyword list uses wildcards so some of the matches might include benign words that contain bad words like "coin" or "mining". You can modify the lookup to get around this in your environment. |
How To Respond |
---|
This alert is very clearly tied to a known threat, so when it fires your concern is that this represents an attacker inside of one of your systems. Recommended steps are to begin incident response on the host where this alert fired from, to look for signs of other suspicious activities. The first step in that process will be to look for other events that involve the same IP or user name, and see what other activities the attacker might have done. That should guide you to the underlying problem. |
Help |
---|
Suspicious Container Image Name HelpThe basic idea behind this search is to take a set of container images names and cross reference them against a set of known bad keywords. There are three phases to this search.
|
SPL for Suspicious Container Image Name
AWS Data
| First we find container creation events |
GCP Data
| First we find container creation events |
Azure Data
| First we find container creation events |