Stats
Actions
Tags
From cybersecurity-skills
Parses Kubernetes API server audit logs to detect exec-into-pod, secret access, RBAC changes, privileged pods, and anonymous API access. Builds threat detection rules from audit patterns.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:analyzing-kubernetes-audit-logsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When investigating security incidents that require analyzing kubernetes audit logs
Parse Kubernetes audit log files (JSON lines format) to detect security-relevant events including unauthorized access, privilege escalation, and data exfiltration.
import json
with open("/var/log/kubernetes/audit.log") as f:
for line in f:
event = json.loads(line)
verb = event.get("verb")
resource = event.get("objectRef", {}).get("resource")
user = event.get("user", {}).get("username")
if verb == "create" and resource == "pods/exec":
print(f"Pod exec by {user}")
Key events to detect:
# Detect secret enumeration
if verb in ("get", "list") and resource == "secrets":
print(f"Secret access: {user} -> {event['objectRef'].get('name')}")
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsParses Kubernetes API server audit logs to detect exec-into-pod, secret access, RBAC changes, privileged pods, and anonymous API access. Builds threat detection rules from audit patterns.
Parses Kubernetes API server audit logs (JSON lines) to detect pod execs, secret access, RBAC modifications, privileged pod creation, and anonymous access. Builds threat detection rules for cluster compromise investigations and SIEM.
Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret enumeration, RBAC changes, privileged pods, and anonymous access. Use for cluster compromise investigations or building k8s SIEM rules.