>_upskill
← back to registry

analyzing-kubernetes-audit-logs

reviewed

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,

>_mukul975/Anthropic-Cybersecurity-Skills/skills/analyzing-kubernetes-audit-logs·commit 77d5d9d

name: analyzing-kubernetes-audit-logs description: 'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

' domain: cybersecurity subdomain: container-security tags:

  • analyzing
  • kubernetes
  • audit
  • logs version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • PR.PS-01
  • PR.IR-01
  • ID.AM-08
  • DE.CM-01

Analyzing Kubernetes Audit Logs

When to Use

  • When investigating security incidents that require analyzing kubernetes audit logs
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Familiarity with container security concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

Parse Kubernetes audit log files (JSON lines format) to detect security-relevant events including unauthorized access, privilege escalation, and data exfiltration.

import json

with open("/var/log/kubernetes/audit.log") as f:
    for line in f:
        event = json.loads(line)
        verb = event.get("verb")
        resource = event.get("objectRef", {}).get("resource")
        user = event.get("user", {}).get("username")
        if verb == "create" and resource == "pods/exec":
            print(f"Pod exec by {user}")

Key events to detect:

  1. pods/exec and pods/attach (shell into containers)
  2. secrets access (get/list/watch)
  3. clusterrolebindings creation (RBAC escalation)
  4. Privileged pod creation
  5. Anonymous or system:unauthenticated access

Examples

# Detect secret enumeration
if verb in ("get", "list") and resource == "secrets":
    print(f"Secret access: {user} -> {event['objectRef'].get('name')}")