A tool for collecting Kubernetes cluster data and ingesting it into Azure Log Analytics workspace for analysis post-compromise.
Documentation is available at the KubeForenSys documentation.
KubeForenSys is a Python-based tool that automatically collects various types of data from Kubernetes clusters and sends it to Azure Log Analytics workspace. It specifically focusses on collecting data from Azure Kubernetes Service clusters.
- Pod Logs Collection: Retrieves logs from all running pods across namespaces
- Kubernetes Events: Collects cluster events
- Command History: Extracts command history from containers for security analysis
- Service Accounts: Gathers service account information and configurations
- Suspicious Pod Detection: Identifies potentially suspicious pods based on security criteria
- RBAC Bindings: Collects Role-Based Access Control bindings and roles
- CronJob Information: Retrieves details about cronjob containers
- Network Policies: Gathers network policy configurations
- Azure Integration: Automatically provisions Log Analytics workspace and data collection infrastructure
- Python 3.8 or higher
kubectlconfigured and authenticated to your Kubernetes cluster- Azure subscription with appropriate permissions
-
Clone the repository:
git clone git@github.com:invictus-ir/KubeForenSys.git cd KubeForenSys -
Install Python dependencies:
pip install -r requirements.txt
-
Set up environment variables:
Create a
.envfile in the project root:SUBSCRIPTION_ID="your-azure-subscription-id" CLUSTER_NAME="your-aks-cluster-name" RESOURCE_GROUP_NAME="your-resource-group-name"
Or set them as environment variables:
export SUBSCRIPTION_ID="your-azure-subscription-id" export CLUSTER_NAME="your-aks-cluster-name" export RESOURCE_GROUP_NAME="your-resource-group-name"
Run the tool with default settings:
python3 kubeforensys.pyCustomize the data collection with command-line arguments:
python3 kubeforensys.py \
--since_seconds 172800 \
--workspace_name "MyKubeWorkspace" \
--dce_name "MyDataCollectionEndpoint" \
--location "eastus"--since_seconds: Fetch logs since these many seconds ago (default: 86400 = 24 hours)--workspace_name: Name of the Log Analytics workspace (default: "KubeForenSys-LAW")--dce_name: Name of the Data Collection Endpoint (default: "Kube-DCE")--location: Azure region (default: "westeurope")
The tool collects the following data types and uploads them to separate custom tables in Log Analytics:
- kubelogs_CL: Container logs from all pods
- kubeevents_CL: Kubernetes cluster events
- commandhistory_CL: Command history from containers
- serviceaccounts_CL: Service account configurations
- suspiciouspods_CL: Potentially suspicious pods
- rbacbindings_CL: RBAC bindings and roles
- cronjobs_CL: CronJob container information
- networkpolicies_CL: Network policy configurations
The tool automatically creates:
- Log Analytics workspace
- Data Collection Endpoint (DCE)
- Data Collection Rules (DCR) for each data type
- Custom tables in Log Analytics workspace
- The tool skips system namespaces (
kube-system,azure-arc,gatekeeper-system) - Uses Azure DefaultAzureCredential for authentication
- Data is retained for 30 days by default. This can be altered through the Azure portal where necessary.
- Kubernetes Access: Verify
kubectlis configured and can access the cluster - Resource Creation: Check that your Azure subscription has permissions to create Log Analytics resources (see custom_role.json)
- Network Access: Ensure the data collection endpoint has proper network access configured
kubernetes: Kubernetes Python clientpython-dotenv: Environment variable managementazure.identity: Azure authenticationazure.monitor.ingestion: Azure Monitor data ingestionazure.mgmt.containerservice: Azure Container Service managementazure.mgmt.loganalytics: Azure Log Analytics management
