Skill

analyzing-kubernetes-audit-logs

From asi

Parses Kubernetes API server audit logs (JSON lines) to detect pod execs, secret access, RBAC modifications, privileged pod creation, and anonymous access. Builds threat detection rules for cluster compromise investigations and SIEM.

Kubernetes

Python

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing kubernetes audit logs

SKILL.md

Similar Skills

analyzing-kubernetes-audit-logs

5.9k

Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications, privileged pod creation, and anonymous API access. Builds threat detection rules for cluster investigations.

3 files

cybersecurity-skills

analyzing-kubernetes-audit-logs

Parses Kubernetes API server audit logs (JSON lines) to detect Pod execs, Secret access, RBAC modifications, privileged Pod creation, and anonymous API access. Builds threat detection rules for cluster intrusion investigations or k8s SIEM.

3 files

cybersecurity-skills-zh

auditing-kubernetes-cluster-rbac

Audits Kubernetes RBAC configurations for overly permissive roles, wildcard permissions, dangerous bindings, service account abuse, and privilege escalation using kubectl, rbac-tool, KubiScan, Kubeaudit. For cluster security assessments on EKS, GKE, AKS.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing Kubernetes Audit Logs

When to Use

When investigating security incidents that require analyzing kubernetes audit logs

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with container security concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Parse Kubernetes audit log files (JSON lines format) to detect security-relevant events including unauthorized access, privilege escalation, and data exfiltration.

import json with open("/var/log/kubernetes/audit.log") as f: for line in f: event = json.loads(line) verb = event.get("verb") resource = event.get("objectRef", {}).get("resource") user = event.get("user", {}).get("username") if verb == "create" and resource == "pods/exec": print(f"Pod exec by {user}")

Key events to detect:

pods/exec and pods/attach (shell into containers)

secrets access (get/list/watch)

clusterrolebindings creation (RBAC escalation)

Privileged pod creation

Anonymous or system:unauthenticated access

Examples

# Detect secret enumeration if verb in ("get", "list") and resource == "secrets": print(f"Secret access: {user} -> {event['objectRef'].get('name')}")