Kubernetes Anonymous Request Authorizededit
This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.
Rule type: query
Rule indices:
- logs-kubernetes.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Kubernetes
- Continuous Monitoring
- Execution
- Initial Access
- Defense Evasion
Version: 2 (version history)
Added (Elastic Stack release): 8.5.0
Last modified (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positivesedit
Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated.
Investigation guideedit
Rule queryedit
event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and (kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated") or not kubernetes.audit.user.username:*) and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or "readyz")
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Rule version historyedit
- Version 2 (8.6.0 release)
-
-
Updated query, changed from:
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and (kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated") or not kubernetes.audit.user.username:*) and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or "readyz")
-