analyzing-kubernetes-audit-logs

Solid

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules from audit event patterns. Use when investigating Kubernetes cluster compromise or building k8s-specific SIEM detection rules.

DevOps & Infrastructure 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
78
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Kubernetes Audit Logs ## When to Use - When investigating security incidents that require analyzing kubernetes audit logs - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with container security concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Parse Kubernetes audit log files (JSON lines format) to detect security-relevant events including unauthorized access, privilege escalation, and data exfiltration. ```python import json with open("/var/log/kubernetes/audit.log") as f: for line in f: event = json.loads(line) verb = event.get("verb") resource = event.get("objectRef", {}).get("resource") user = event.get("user", {}).get("username") if verb == "create" and resource == "pods/exec": print(f"Pod exec by {user}") ``` Key events to detect: 1. pods/exec and pods/attach (shell into containers) 2. secrets access (get/list/watch) 3. clusterrolebindings creation (RBAC escalation) 4. Privileged pod creation 5. Anonymous or system:unauthenticated access ## Examples ```python # Detect secret enumeration if verb in ("get", "list") and resource == "secrets": pr...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Kubernetes · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

auditing-kubernetes-cluster-rbac

Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous ClusterRoleBindings, service account abuse, and privilege escalation paths using kubectl, rbac-tool, KubiScan, and Kubeaudit.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

detecting-privilege-escalation-in-kubernetes-pods

Detect and prevent privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and syscall patterns with Falco and OPA policies.

12,642 Updated today
mukul975
DevOps & Infrastructure Listed

kubernetes-manifest-audit

Audit Kubernetes manifests, Helm charts, and Kustomize overlays against CIS Kubernetes Benchmark and NSA/CISA hardening — pod security, resources, probes, RBAC, networking, secrets, availability. Static, live, apply, runtime modes.

3 Updated 4 days ago
anthril
AI & Automation Solid

analyzing-azure-activity-logs-for-threats

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query to detect suspicious administrative operations, impossible travel, privilege escalation, and resource modifications. Builds KQL queries for threat hunting in Azure environments. Use when investigating suspicious Azure tenant activity or building cloud SIEM detections.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-audit-logs-for-intrusion

Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized access, privilege escalation, and suspicious system activity. Covers audit rule configuration, log querying, timeline reconstruction, and integration with SIEM platforms. Activates for requests involving auditd analysis, Linux audit log investigation, ausearch queries, aureport summaries, or host-based intrusion detection on Linux.

12,642 Updated today
mukul975