Skip to content

Commit

Permalink
schema typos
Browse files Browse the repository at this point in the history
  • Loading branch information
sfc-gh-kderevyanik committed Dec 6, 2023
1 parent 56f4f13 commit 4349dd2
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Query: |-
WHERE
verb IN ('create', 'update')
AND objectRef:resource = 'pods'
AND ARRAY_INTERSECTION(REQUEST_OBJECT:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present
AND ARRAY_INTERSECTION(requestObject:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present
AND requestObject:spec:containers[0]:securityContext is not null
AND p_occurs_since('30 minutes')
--insert allow-list for pods that are expected to have privileged linux capabilities, for example a observability agent
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Query: >
WHERE
verb IN ('create', 'update', 'patch')
AND objectRef:resource = 'pods'
AND request_object:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')
AND requestObject:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')
AND p_occurs_since('30 minutes')
--insert allow-list for expected workloads that require a sensitive mount
LIMIT 10
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,21 @@ Description: >
This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.
Query: >
SELECT *,
OBJECT_REF:name as service,
OBJECT_REF:namespace as namespace,
OBJECT_REF:resource as resource_type,
objectRef:name as service,
objectRef:namespace as namespace,
objectRef:resource as resource_type,
COALESCE(impersonated_user, USER:username) as src_user,
USER_AGENT,
RESPONSE_OBJECT:spec:externalTrafficPolicy as external_traffic_policy,
RESPONSE_OBJECT:spec:internalTrafficPolicy as internal_traffic_policy,
RESPONSE_OBJECT:spec:clusterIP as cluster_ip_address,
userAgent,
responseObject:spec:externalTrafficPolicy as external_traffic_policy,
responseObject:spec:internalTrafficPolicy as internal_traffic_policy,
responseObject:spec:clusterIP as cluster_ip_address,
VALUE:port as port, --port where traffic gets forwarded to in the pod
VALUE:protocol as protocol, --protocol the service uses
VALUE:nodePort as node_port, --which port acts as the nodeport on all the nodes
REQUEST_OBJECT:spec:type as type,
IFF(REQUEST_OBJECT:spec:status:loadBalancer is null, 'No LB Present',
REQUEST_OBJECT:spec:status:loadBalancer) as load_balancer,
RESPONSE_STATUS:code as response_status
requestObject:spec:type as type,
IFF(requestObject:spec:status:loadBalancer is null, 'No LB Present',
requestObject:spec:status:loadBalancer) as load_balancer,
responseStatus:code as response_status
FROM panther_logs.public.kubernetes_control_plane, lateral flatten(response_object:spec:ports)
WHERE
objectRef:resource = 'services'
Expand Down

0 comments on commit 4349dd2

Please sign in to comment.