A Kubernetes user attempted to perform a high number of actions that were denied

kubernetes

Classification:

attack

Tactic:

TA0007-discovery

Set up the kubernetes integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Identify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.

Strategy

This rule identifies responses of the API server where the reason for the error is set to Forbidden, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.

The rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.

Triage and response

  1. Determine if the user: {{@usr.id}} is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.
  2. Use the Cloud SIEM User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 15 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: may/unit-testing