Kubeaudit events in advanced hunting
Kubernetes Kubeaudit events (and Azure Resource Manager cloud audit) are available in advanced hunting in the Microsoft Defender portal.
You can triage and investigate incidents that happened on your Kubernetes control plane attack surface and Azure Resource Management. You can also proactively hunt for threats using advanced hunting.
In addition, you can create custom detections for suspicious Resource Manager and Kubernetes (KubeAudit) control plane activities.
This feature covers:
Kubernetes KubeAudit events from Azure (Azure Kubernetes Service), Amazon Web Services (Amazon Elastic Kubernetes Service), Google Cloud Platform (Google Kubernetes Engine) and on-premises
Resource Manager control plane events
To start, see the new table that was added to the Schema tab in advanced hunting called CloudAuditEvents.
Common use cases and scenarios
- Investigate suspicious Resource Manager and Kubernetes (Kubeaudit) control plane activities in XDR advanced hunting
- Create custom detections for suspicious Resource Manager and Kubernetes (Kubeaudit) control plane activities
Prerequisites
- For Kubernetes events: you need at least one subscription with a Defender for Containers plan enabled
- For Azure Resource Manager events: you need at least one subscription with a Defender for Azure Resource Manager plan enabled
Sample queries
To surface deployment of a privileged pod, use the following sample query:
CloudAuditEvents
| where Timestamp > ago(1d)
| where DataSource == "Azure Kubernetes Service"
| where OperationName == "create"
| where RawEventData.ObjectRef.resource == "pods" and isnull(RawEventData.ObjectRef.subresource)
| where RawEventData.ResponseStatus.code startswith "20"
| extend PodName = RawEventData.RequestObject.metadata.name
| extend PodNamespace = RawEventData.ObjectRef.namespace
| mv-expand Container = RawEventData.RequestObject.spec.containers
| extend ContainerName = Container.name
| where Container.securityContext.privileged == "true"
| extend Username = RawEventData.User.username
| project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, ContainerName, Username
To surface the exec command in the kube-system namespace, use the following sample query:
CloudAuditEvents
| where Timestamp > ago(1d)
| where DataSource == "Azure Kubernetes Service"
| where OperationName == "create"
| where RawEventData.ObjectRef.resource == "pods" and RawEventData.ResponseStatus.code == 101
| where RawEventData.ObjectRef.namespace == "kube-system"
| where RawEventData.ObjectRef.subresource == "exec"
| where RawEventData.ResponseStatus.code == 101
| extend RequestURI = tostring(RawEventData.RequestURI)
| extend PodName = tostring(RawEventData.ObjectRef.name)
| extend PodNamespace = tostring(RawEventData.ObjectRef.namespace)
| extend Username = tostring(RawEventData.User.username)
| where PodName !startswith "tunnelfront-" and PodName !startswith "konnectivity-" and PodName !startswith "aks-link"
| extend Commands = extract_all(@"command=([^\&]*)", RequestURI)
| extend ParsedCommand = url_decode(strcat_array(Commands, " "))
| project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, Username, ParsedCommand
To identify the creation of the cluster-admin role binding, use the following sample query:
CloudAuditEvents
| where Timestamp > ago(1d)
| where OperationName == "create"
| where RawEventData.ObjectRef.resource == "clusterrolebindings"
| where RawEventData.ResponseStatus.code startswith "20"
| where RawEventData.RequestObject.roleRef.name == "cluster-admin"
| mv-expand Subject = RawEventData.RequestObject.subjects
| extend SubjectName = tostring(Subject.name)
| extend SubjectKind = tostring(Subject["kind"])
| extend BindingName = tostring(RawEventData.ObjectRef.name)
| extend ActionTakenBy = tostring(RawEventData.User.username)
| where ActionTakenBy != "acsService" //Remove FP
| project Timestamp, AzureResourceId , OperationName, ActionTakenBy, IPAddress, UserAgent, BindingName, SubjectName, SubjectKind
Related content
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for