
Summary
This rule detects unauthorized access to Kubernetes Secrets that originate from unusual geographical locations by analyzing audit logs. Kubernetes Secrets contain sensitive data including passwords and tokens, making it critical to safeguard against unauthorized access. The rule leverages the `kube_audit` log data, filtering out requests that occur from known, allowed locations. By inspecting the request's source IP and correlating that with geolocation data, the detection identifies anomalies that may signify an attack attempt to exfiltrate sensitive information. The system alerts on significant anomalies to enable security operations centers (SOC) to take appropriate actions against potential breaches.
Categories
- Kubernetes
- Cloud
- Network
Data Sources
- Kernel
- Container
- Pod
- Application Log
ATT&CK Techniques
- T1552.007
Created: 2024-11-14