This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Keychain Password Retrieval via Command Line Kubernetes Container Created with Excessive Linux Capabilities »
Elastic Docs Elastic Security Solution [8.16] Detections and alerts Prebuilt rule reference

Kubernetes Anonymous Request Authorized

edit

Kubernetes Anonymous Request Authorized

edit

This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.

Rule type: query

Rule indices:

  • logs-kubernetes.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Kubernetes
  • Continuous Monitoring
  • Execution
  • Initial Access
  • Defense Evasion

Version: 2 (version history)

Added (Elastic Stack release): 8.5.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated.

Investigation guide

edit











Rule query
edit








event.dataset : "kubernetes.audit_logs" and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
and (kubernetes.audit.user.username:("system:anonymous" or
"system:unauthenticated") or not kubernetes.audit.user.username:*)
and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or
"readyz")











Threat mapping
edit




Framework: MITRE ATT&CKTM














Rule version history
edit










Version 2 (8.6.0 release)








    

  • 

    Updated query, changed from:
    

    

    

    kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
and (kubernetes.audit.user.username:("system:anonymous" or
"system:unauthenticated") or not kubernetes.audit.user.username:*)
and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or
"readyz")
    

    

    • 




















« Keychain Password Retrieval via Command Line


Kubernetes Container Created with Excessive Linux Capabilities »