K8s Audit Log Resource Created

This alert occurs when Lacework detects a new resource was created.

Why this alert is important

Unauthorized or unexpected resource creations can signify malicious activity or a security breach. Detecting new resources allows you to identify potential unauthorized access, configuration errors, or attempts to compromise the system. It enables you to mitigate security risks and immediately protect your cluster and applications.

Investigation

Follow these steps to investigate the alert:

1. Gather logs from the Kubernetes control plane, cluster components, and relevant logging systems. Look for logs that capture resource creation events, such as API server logs, cluster event logs, or audit logs. These logs can provide information about the timing, source, and details of the resource creation.
2. Kubernetes maintains an event stream that records resource creation, modification, or deletion events. Check the event stream to identify any recent events related to creating the resource you are investigating. Look for events that indicate the resource type, name, and relevant details.
3. Use the Kubernetes API server or relevant command-line tools (such as kubectl) to query the state of the cluster and inspect the resources. Look for recently created resources, including their metadata, labels, and specifications. Examine the creation timestamps and any associated information that can help trace the origin of the resource creation.
4. If you use a configuration management system (e.g., GitOps), review the configuration history to identify any recent changes related to the resource creation. Look for commit messages, pull requests, or other indicators that highlight the introduction of the new resource.
5. Investigate the users or service accounts with permission to create resources. Check their access controls, roles, and role bindings to determine if unauthorized access or misconfigurations exist. Review authentication and authorization mechanisms to ensure only authorized entities can create resources.
6. Monitor network traffic within the cluster to identify any suspicious connections or communication related to the resource creation. Analyze network logs, traffic flows, or packet captures to trace the source and destination of traffic associated with the resource crea

Resolution

Follow these steps to resolve the alert:

1. Disable or remove the malicious resource from your cluster. Depending on the severity of the threat, you may choose to stop the resource, delete it, or take appropriate actions to prevent it from causing harm. Ensure that associated resources, such as pods or services, are terminated or cleaned up.
2. Evaluate the potential impact of the maliciously created resource. Determine if it has caused unauthorized access, data breaches, or disruptions to your applications or systems. Assess the affected services and data to understand the extent of the compromise.
3. Treat the situation as a security incident and follow your organization's incident response plan. Activate your incident response team and involve relevant stakeholders, such as security personnel, system administrators, and legal or compliance teams. If needed, document the incident, capture relevant evidence, and maintain a chain of custody for forensic purposes.
4. Conduct a thorough investigation to understand how the malicious resource was created and any associated activities or indicators of compromise. Analyze logs, audit trails, and any available evidence to identify the vulnerabilities or security gaps that allowed the resource to be created.
5. Take steps to remediate the issue and strengthen your security measures to prevent similar incidents in the future. This may involve patching vulnerabilities, reviewing and adjusting access controls, implementing stronger security measures such as network policies or intrusion detection systems, and updating security practices and training.