Kubernetes审计日志发现

Kubernetes audit logs finding types

Finding type	检测内容
CredentialAccess:Kubernetes/MaliciousIPCaller	从已知的恶意 IP 地址调用了常用于访问 Kubernetes 集群中凭证或机密的 API。
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom	从自定义威胁列表中的 IP 地址调用了常用于访问 Kubernetes 集群中凭证或机密的 API。
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess	未经身份验证的用户调用了用于访问 Kubernetes 集群中凭证或机密的常用 API。
CredentialAccess:Kubernetes/TorIPCaller	从 Tor 出口节点 IP 地址调用了一个常用于访问 Kubernetes 集群中凭证或机密的 API。
DefenseEvasion:Kubernetes/MaliciousIPCaller
DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom
DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess
DefenseEvasion:Kubernetes/TorIPCaller
Discovery:Kubernetes/MaliciousIPCaller
Discovery:Kubernetes/MaliciousIPCaller.Custom
Discovery:Kubernetes/SuccessfulAnonymousAccess
Discovery:Kubernetes/TorIPCaller
Execution:Kubernetes/ExecInKubeSystemPod
Impact:Kubernetes/MaliciousIPCaller
Impact:Kubernetes/MaliciousIPCaller.Custom
Impact:Kubernetes/SuccessfulAnonymousAccess
Impact:Kubernetes/TorIPCaller
Persistence:Kubernetes/ContainerWithSensitiveMount
Persistence:Kubernetes/MaliciousIPCaller
Persistence:Kubernetes/MaliciousIPCaller.Custom
Persistence:Kubernetes/SuccessfulAnonymousAccess
Persistence:Kubernetes/TorIPCaller
Policy:Kubernetes/AdminAccessToDefaultServiceAccount
Policy:Kubernetes/AnonymousAccessGranted
Policy:Kubernetes/ExposedDashboard
Policy:Kubernetes/KubeflowDashboardExposed
PrivilegeEscalation:Kubernetes/PrivilegedContainer
CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated
Execution:Kubernetes/AnomalousBehavior.ExecInPod
PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer
Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount
Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated
Discovery:Kubernetes/AnomalousBehavior.PermissionChecked