Kubernetes

  • Updated on Feb 5, 2025
  • Published on Feb 6, 2024
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Kubernetes Audit Logs

✅

✅

kubernetes_audit_logs

NDJSON

S3

Overview

image.pngKubernetes, also known as K8s, is an open-source system for automating the deployment, scaling, and management of containerized applications.

Intergrating your Kubernetes logs to Hunters allows ingestion of data, as well as leveraging the data for Kubernetes-related detections and IOC Search.

Supported data types

Kubernetes Audit Logs

Table name: kubernetes_audit_logs

Kubernetes auditing provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Kubernetes logs via an intermediary AWS S3 bucket.

To connect Kubernetes logs:

  1. Export your logs from your hosted Kubernetes to an AWS S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Kubernetes Audit Log

Lgs are expected in JSON format.

{"@headers":{"platform":"ab-pc-6f"},"annotations":{"apiserver.latency.example.io/etcd":"3.501919ms","apiserver.latency.example.io/response-write":"1.002µs","apiserver.latency.example.io/serialize-response-object":"29.936µs","apiserver.latency.example.io/total":"30.005193246s","authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"ABC: allowed by ClusterRoleBinding ABC"},"auditID":"abcd123-642e-437f-b883-1234abc","level":"Metadata","objectRef":{"apiVersion":"v1","name":"abc-1-18-5-1234-v9hhq","namespace":"abc-system","resource":"pods","subresource":"mock"},"requestReceivedTimestamp":"2024-01-01T00:03:17.176364Z","requestURI":"/api/v1/namespaces/mock-system/pods/mock-1-18-5-1234-v9hhq/mock","responseStatus":{"code":500,"message":"error dialing backend: dial tcp 12.123.123.12:1234: i/o timeout","metadata":{},"status":"Failure"},"sourceIPs":["12.123.123.12"],"stage":"ResponseComplete","stageTimestamp":"2024-01-01T00:03:47.181557Z","user":{"extra":{"authentication.example.io/pod-name":["kiali-12345-abc"],"authentication.example.io/pod-uid":["1234abc-b7fe-4bc5-925a-abc123"]},"groups":["system:mock","system:serviceaccounts:mock-system","system:authenticated"],"uid":"abc123-6ce6-4c75-97ce-1234abc","username":"system:serviceaccount:mock-system:kiali"},"userAgent":"mock-http-client/1.1","verb":"create"}