分享方式:


進階搜捕中的 Kubeaudit 活動

您可在 Microsoft Defender 入口網站中的進階搜捕中使用 Kubernetes Kubeaudit 事件 (和 Azure Resource Manager 雲端稽核)。

您可以對 Kubernetes 控制平面攻擊面和 Azure 資源管理上發生的事件進行分級和調查。 您也可以使用進階搜捕主動搜捕威脅。

此外,您可以為可疑的 Resource Manager 和 Kubernetes (KubeAudit) 控制平面活動建立自訂偵測

此功能涵蓋:

  • 來自 Azure 的 Kubernetes KubeAudit 事件 (Azure Kubernetes Service)、Amazon Web Services (Amazon Elastic Kubernetes Service)、Google Cloud Platform (Google Kubernetes Engine) 和內部部署

  • Resource Manager 控制平面事件

若要開始,請參閱在進階搜捕中新增至 [結構描述] 索引標籤之名為 CloudAuditEvents 的新資料表。

進階搜捕中 [結構描述] 索引標籤中 CloudAuditEvents 資料表的螢幕擷取畫面。

常見使用案例和個案

  • 調查 XDR 進階搜捕中可疑 Resource Manager 和 Kubernetes (Kubeaudit) 控制平面活動
  • 建立可疑 Resource Manager 和 Kubernetes (Kubeaudit) 控制平面活動的自訂偵測

必要條件

  • 若是 Kubernetes 事件:您至少需要一個訂用帳戶,其中已啟用適用於容器的 Defender 方案
  • 若是 Azure Resource Manager 事件:您至少需要一個訂用帳戶,其中已啟用適用於 Azure Resource Manager 的 Defender 方案

範例查詢

若要呈現特殊權限 Pod 的部署,請使用下列範例查詢:

CloudAuditEvents
| where Timestamp > ago(1d)
| where DataSource == "Azure Kubernetes Service"
| where OperationName == "create"
| where RawEventData.ObjectRef.resource == "pods" and isnull(RawEventData.ObjectRef.subresource)
| where RawEventData.ResponseStatus.code startswith "20"
| extend PodName = RawEventData.RequestObject.metadata.name
| extend PodNamespace = RawEventData.ObjectRef.namespace
| mv-expand Container = RawEventData.RequestObject.spec.containers
| extend ContainerName = Container.name
| where Container.securityContext.privileged == "true"
| extend Username = RawEventData.User.username
| project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, ContainerName, Username

若要在 kube-system 命名空間中呈現 exec 命令,請使用下列範例查詢:

CloudAuditEvents
| where Timestamp > ago(1d)
| where DataSource == "Azure Kubernetes Service"
| where OperationName == "create"
| where RawEventData.ObjectRef.resource == "pods" and RawEventData.ResponseStatus.code == 101  
| where RawEventData.ObjectRef.namespace == "kube-system"
| where RawEventData.ObjectRef.subresource == "exec"
| where RawEventData.ResponseStatus.code == 101
| extend RequestURI = tostring(RawEventData.RequestURI)
| extend PodName = tostring(RawEventData.ObjectRef.name)
| extend PodNamespace = tostring(RawEventData.ObjectRef.namespace)
| extend Username = tostring(RawEventData.User.username)
| where PodName !startswith "tunnelfront-" and PodName !startswith "konnectivity-" and PodName !startswith "aks-link"
| extend Commands =  extract_all(@"command=([^\&]*)", RequestURI)
| extend ParsedCommand = url_decode(strcat_array(Commands, " "))
| project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace,  Username, ParsedCommand

若要識別 cluster-admin 角色繫結的建立,請使用下列範例查詢:

CloudAuditEvents
| where Timestamp > ago(1d)
| where OperationName == "create"
| where RawEventData.ObjectRef.resource == "clusterrolebindings"
| where RawEventData.ResponseStatus.code startswith "20"
| where RawEventData.RequestObject.roleRef.name == "cluster-admin"
| mv-expand Subject = RawEventData.RequestObject.subjects
| extend SubjectName = tostring(Subject.name)
| extend SubjectKind = tostring(Subject["kind"]) 
| extend BindingName = tostring(RawEventData.ObjectRef.name)
| extend ActionTakenBy = tostring(RawEventData.User.username)
| where ActionTakenBy != "acsService" //Remove FP
| project Timestamp, AzureResourceId , OperationName, ActionTakenBy, IPAddress, UserAgent, BindingName, SubjectName, SubjectKind