From e344cfa8c9e414f0de98d3910b7c1d5658a0a4d8 Mon Sep 17 00:00:00 2001
From: Patrick <pbareiss@splunk.com>
Date: Thu, 7 Dec 2023 11:19:02 +0100
Subject: [PATCH] kubernetes scanning

---
 .../kubernetes_scanning/kubernetes_scanning.json      |  3 +++
 .../T1046/kubernetes_scanning/kubernetes_scanning.yml | 11 +++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json
 create mode 100644 datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml

diff --git a/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json
new file mode 100644
index 00000000..017dc57f
--- /dev/null
+++ b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c79a28e5b8ce12898af556e09417e01aa929fd11c7a840754ce7ba65eceb13db
+size 5053
diff --git a/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml
new file mode 100644
index 00000000..3d2c69b7
--- /dev/null
+++ b/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: d8aaa455-a7ba-4bd8-a588-e09ef1dce552
+date: '2023-12-07'
+description: Kubernetes scanning activity in Kubernetes audit logs.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/kubernetes_scanning/kubernetes_scanning.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1046