cscli scenarios install crowdsecurity/k8s-audit-api-server-bruteforceDetects bruteforce attempts against the K8S API server.
This scenario needs the K8S audit logs to work.
1type: leaky2name: crowdsecurity/k8s-audit-api-server-bruteforce3description: "Detect bruteforce attempts against K8S API server"4filter: |5 evt.Meta.log_type == 'k8s-audit' &&6 (7 (evt.Meta.datasource_type == "k8s-audit" && evt.Unmarshaled.k8s_audit.ResponseStatus.code in [401, 403])8 ||9 (evt.Meta.datasource_type != "k8s-audit" && evt.Unmarshaled.k8s_audit.responseStatus.code in [401, 403])10 )11leakspeed: "10s"12capacity: 513groupby: evt.Meta.source_ip14blackhole: 1m15reprocess: true16labels:17 remediation: true18 classification:19 - attack.T111020 behavior: "k8s:bruteforce"21 label: "Kubernetes API Bruteforce"22 spoofable: 023 confidence: 324 service: k8s25