Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THREAT-413 - Tune EKS Anonymous API Access Detection Rule (#1405) #1433

Merged
merged 8 commits into from
Dec 5, 2024
Merged

THREAT-413 - Tune EKS Anonymous API Access Detection Rule (#1405) #1433

merged 8 commits into from
Dec 5, 2024

Conversation

arielkr256
Copy link
Contributor

Tuned version of #1405

Background

This change introduces a new detection rule for identifying anonymous API access to the Kubernetes API server in Amazon EKS clusters. Anonymous access should be disabled in production environments to prevent unauthorized access, as it poses a potential security risk. Detecting anonymous requests helps ensure that EKS clusters are properly configured for secure API usage.

Changes

  • Added a new detection rule Amazon.EKS.AnonymousAPIAccess to monitor and detect anonymous API requests to the Kubernetes API server.
  • Included a YAML configuration for the rule with severity set to medium and associated MITRE ATT&CK references.
  • Provided test cases to validate both anonymous and non-anonymous API requests.
  • Documented remediation steps and runbook reference to disable anonymous access in the Kubernetes configuration.

Testing

  • Ran panther_analysis_tool to validate the new detection rule and test cases.
  • Verified that the test cases pass for both anonymous and non-anonymous API access scenarios.
  • Ensured that the rule raises an alert for anonymous API requests and remains silent for authenticated API requests.
  • Tuned based on log data from lab environment

@arielkr256 arielkr256 requested a review from a team as a code owner November 18, 2024 20:47
@arielkr256 arielkr256 marked this pull request as draft November 18, 2024 20:47
@arielkr256 arielkr256 changed the title Revert "Revert "EKS Anonymous API Access Detection Rule (#1405)"" THREAT-413 - Tune EKS Anonymous API Access Detection Rule (#1405) Nov 18, 2024
@arielkr256 arielkr256 marked this pull request as ready for review November 18, 2024 21:04
@arielkr256
Copy link
Contributor Author

@bcpenta we noticed some noise with this rule when we deployed it to our lab environment. Please take a look at the tuning changes and let us know if you have any questions!

ben-githubs
ben-githubs reviewed Nov 18, 2024
View reviewed changes
Copy link
Contributor

@ben-githubs ben-githubs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to hold off on merging until we get those sample logs where objectRef is missing - I suspect the tuning improvements will probably exclude those events, but would like to confirm before we merge this!

@arielkr256 arielkr256 added rules Real-time log data detections tuning detection tuning labels Nov 21, 2024
@arielkr256
Copy link
Contributor Author

Old title: Anonymous API access detected on Kubernetes API server from [10.0.21.88] to [<NO_OBJECT_RESOURCE>] in namespace [<NO_OBJECT_NAMESPACE>] on [Threat Research - EKS K8S GOAT]

New title: Anonymous API access detected on Kubernetes API server from [10.0.21.88] to [/healthz?exclude=kms-provider-0&exclude=kms-provider-1&exclude=kms-providers] on [Threat Research - EKS K8S GOAT]

@arielkr256 arielkr256 enabled auto-merge (squash) December 4, 2024 17:20
@arielkr256 arielkr256 disabled auto-merge December 5, 2024 17:16
@arielkr256 arielkr256 merged commit 5120292 into develop Dec 5, 2024
6 checks passed
@arielkr256 arielkr256 deleted the revert-1429-panos/revert-noisy-rule branch December 5, 2024 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ben-githubs ben-githubs ben-githubs approved these changes

Assignees
No one assigned
Labels
rules Real-time log data detections tuning detection tuning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arielkr256 @ben-githubs