splApache-2.0from splunk/security_content

Cisco Isovalent - Access To Cloud Metadata Service

The following analytic detects workloads accessing the cloud instance metadata service at 169.254.169.254. This IP is used by AWS, GCP and Azure metadata endpoints and is frequently abused in SSRF or lateral movement scenarios to obtain credentials and sensitive environment details. Monitor unexpected access to this service from application pods or namespaces where such behavior is atypical.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml

`cisco_isovalent_process_connect` | rename process_connect.parent.binary as binary | `excluded_cloud_binaries`
| stats count
        min(_time) as firstTime
        max(_time) as lastTime
        values(dest_port) as dest_port
        values(src_ip) as src_ip
    by cluster_name pod_name pod_image_name pod_namespace node_name dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___access_to_cloud_metadata_service_filter`