EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Amazon EKS Kubernetes Pod scan detection

The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.

MITRE ATT&CK

T1526

Detection Query

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods"
  | rename source as cluster_name sourceIPs{} as src_ip
  | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI)
    BY src_ip cluster_name user.username
       user.groups{}
  | `security_content_ctime(lastTime)`
  | `security_content_ctime(firstTime)`
  | `amazon_eks_kubernetes_pod_scan_detection_filter`

Author

Rod Soto, Splunk

Created

2026-02-25

Tags

Kubernetes Scanning Activity
Raw Content
name: Amazon EKS Kubernetes Pod scan detection
id: dbfca1dd-b8e5-4ba4-be0e-e565e5d62002
version: 6
date: '2026-02-25'
author: Rod Soto, Splunk
status: experimental
type: Hunting
description: The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.
data_source: []
search: |-
    `aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods"
      | rename source as cluster_name sourceIPs{} as src_ip
      | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI)
        BY src_ip cluster_name user.username
           user.groups{}
      | `security_content_ctime(lastTime)`
      | `security_content_ctime(firstTime)`
      | `amazon_eks_kubernetes_pod_scan_detection_filter`
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.
known_false_positives: Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.
references: []
tags:
    analytic_story:
        - Kubernetes Scanning Activity
    asset_type: Amazon EKS Kubernetes cluster Pod
    mitre_attack_id:
        - T1526
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat