Enabling Easy Kubernetes Audit Logs Monitoring and Investigation
Alcide recently introduced Alcide kAudit, an automatic tool for analyzing Kubernetes Audit logs. This tool focuses on detecting non-compliant and anomalous behavior of users, automated service accounts and suspicious administration operations. Alcide’s recent integration with Sumo Logic enables users to gain full access to insights and real-time alerts from Alcide kAudit. Users are now able to detect Kubernetes’ compliance violations, security incidents, and administration activity anomalies directly from the Sumo Logic platform. They can also correlate and investigate these alerts with data from their other security data sources.
Combining Sumo Logic’s Ops capabilities with Alcide’s security offerings ensures users get full visibility into their Kubernetes clusters for application health, coupled with security insights for deeper investigation. This integration enables DevOps and security teams to focus on compliance violations and active security risks. This also enables users to quickly limit the “blast radius” and fix the causes of such security issues in their Kubernetes clusters.
Real-time Kubernetes Audit Analysis
Alcide kAudit automatically spots security-related issues with Kubernetes' administrative actions in near real-time, and tracks suspicious behaviors that can be identified by observing extended context over multiple activities. It combines a user-configured set of rules that filter any violation of the organization’s compliance policies.
The application will automatically target unique anomalies in the audited activity based on autonomous machine learning patterns.
Further down the pipeline, these findings can be pushed to DevOps teams as security-related alerts or collected for deep investigation and validation by security and audit experts to prove that a non-compliant activity or a security incident has taken place.
Getting Started: Exporting kAudit Findings and Integration
In the integration section, you can configure separate export channels for different alerts. For example, a dedicated channel for detected anomalies and another one for policy-matching audit entries. Each export integration is configured and used independently, so you can mix and match with Sumo Logic endpoints and Slack channels for example.
Configurable filters - Detections and Audit Policies
- Entity types - select one or more clusters, principals or resources
- Entity name - set Regex sequences on entities’ names, for which detections will be exported, and same for excluding other specific detections
- Detection type - Incident or Anomaly
- Detection confidence values - select one or more of High, Medium or Low confidence
- Rules names - a regular expression for selection of specific rules in the policy by their name. Only audit events matching these rules will be exported
Alcide kAudit uses logs generated by an agent installed on each Kubernetes cluster.
The kAudit input stream consists of two log types:
- Anomalies and incidents - appear as _sourcecategory="detections", include all anomalies and incidents identified by the kAudit agent.
- Audit entries - appear as _sourcecategory="selections", include findings related to Kubernetes’ audit logs entries that match one or more of kAudit policies.
Note that you may also set a rate limit on the number of messages sent per minute to the endpoint.
Proactively Identify Non-compliant Behavior and Operational Issues
Based on a configured set of rules that faithfully identify all violations of an organization’s policies, with comprehensive trails of non-compliant activity that has taken place. With automated filters, a collection of such alerts is periodically delivered to compliance investigators or any other responsible party for immediate actioning.
Intercept Anomalous K8s Behaviours Beyond Configuration Rules
Identifying K8s workloads that contain sensitive information such as access to critical databases throughout their lifecycle is a real challenge.
Alcide kAudit identifies irregular behaviors and suspicious activity patterns while observing them with extended contexts, such as:
- Exploited Vulnerabilities in the Kubernetes API Server
Authentication, authorization, admission control or validation requests breaches
- Violated Security Policies
Which are in conflict with compliance best practices
- Stolen Credentials
Can gain access to Kubernetes-based clusters or pods through social engineering
- Misconfigured RBAC
Lateral cluster or pod movement, privilege escalation, data access, and data manipulation
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.