Stats
Actions
Tags
From asi
Parses Kubernetes API server audit logs (JSON lines) to detect pod execs, secret access, RBAC modifications, privileged pod creation, and anonymous access. Builds threat detection rules for cluster compromise investigations and SIEM.
How this skill is triggered — by the user, by Claude, or both
Slash command
/asi:analyzing-kubernetes-audit-logsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- When investigating security incidents that require analyzing kubernetes audit logs
Parse Kubernetes audit log files (JSON lines format) to detect security-relevant events including unauthorized access, privilege escalation, and data exfiltration.
import json
with open("/var/log/kubernetes/audit.log") as f:
for line in f:
event = json.loads(line)
verb = event.get("verb")
resource = event.get("objectRef", {}).get("resource")
user = event.get("user", {}).get("username")
if verb == "create" and resource == "pods/exec":
print(f"Pod exec by {user}")
Key events to detect:
# Detect secret enumeration
if verb in ("get", "list") and resource == "secrets":
print(f"Secret access: {user} -> {event['objectRef'].get('name')}")
npx claudepluginhub plurigrid/asi --plugin asiParses Kubernetes API server audit logs to detect exec-into-pod, secret access, RBAC changes, privileged pods, and anonymous API access. Builds threat detection rules from audit patterns.
Parses Kubernetes API server audit logs to detect exec-into-pod, secret access, RBAC changes, privileged pods, and anonymous API access. Builds threat detection rules from audit patterns.
Parses Kubernetes API server audit logs (JSON lines) to detect Pod execs, Secret access, RBAC modifications, privileged Pod creation, and anonymous API access. Builds threat detection rules for cluster intrusion investigations or k8s SIEM.