investigations/gcp_kubernetes_activity_by_src_ip.yml

name: GCP Kubernetes activity by src ip
id: c00e7626-92cc-4e06-9a51-b6db0a50bd1f
version: 1
date: '2020-04-13'
author: Rod Soto, Splunk
type: Investigation
datamodel: []
description: This search provides investigation data about requests via user agent,
  authentication request URI, resource path and cluster name data against Kubernetes
  cluster from a specific IP address
search: '`google_gcp_pubsub_message` | rename data.protoPayload.requestMetadata.callerIp
  as src_ip | search src_ip =$src_ip$ | stats count min(_time) as firstTime max(_time)
  as lastTime values(data.protoPayload.methodName) as method_names values(data.protoPayload.resourceName)
  as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent)
  as http_user_agent values(data.protoPayload.authenticationInfo.principalEmail) as
  user values(data.protoPayload.status.message) by src_ip data.resource.labels.cluster_name
  data.resource.type'
how_to_implement: You must install the GCP App for Splunk (version 2.0.0 or later),
  then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.
  You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection
  to filter out FPs.
known_false_positives: ''
references: []
tags:
  analytic_story:
  - Kubernetes Scanning Activity
  product:
  - Splunk Phantom
  required_fields:
  - _time
  - data.protoPayload.requestMetadata.callerIp
  - data.protoPayload.methodName
  - data.protoPayload.resourceName
  - data.protoPayload.requestMetadata.callerSuppliedUserAgent
  - data.protoPayload.authenticationInfo.principalEmail
  - data.protoPayload.status.message
  - data.resource.labels.cluster_name
  - data.resource.type
  security_domain: network