analyzing-kubernetes-audit-logslisted

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.
26zl/cybersec-toolkit · ★ 11 · DevOps & Infrastructure · score 83

Install: claude install-skill 26zl/cybersec-toolkit

# Analyzing Kubernetes Audit Logs ## When to Use - When investigating security incidents that require analyzing kubernetes audit logs - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with container security concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Parse Kubernetes audit log files (JSON lines format) to detect security-relevant events including unauthorized access, privilege escalation, and data exfiltration. ```python import json with open("/var/log/kubernetes/audit.log") as f: for line in f: event = json.loads(line) verb = event.get("verb") resource = event.get("objectRef", {}).get("resource") user = event.get("user", {}).get("username") if verb == "create" and resource == "pods/exec": print(f"Pod exec by {user}") ``` Key events to detect: 1. pods/exec and pods/attach (shell into containers) 2. secrets access (get/list/watch) 3. clusterrolebindings creation (RBAC escalation) 4. Privileged pod creation 5. Anonymous or system:unauthenticated access ## Examples ```python # Detect secret enumeration if verb in ("get", "list") and resource == "secrets": pr