valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

azure_kubernetes_secret_or_config_object_access.yml (#1790)

Browse Source 
* Create azure_kubernetes_secret_or_config_object_access.yml

* Delete azure_kubernetes_secret_or_config_object_access.yml

* Create azure_kubernetes_secret_or_config_object_access.yml

* Update azure_kubernetes_secret_or_config_object_access.yml

* Update azure_kubernetes_secret_or_config_object_access.yml

* Update azure_kubernetes_secret_or_config_object_access.yml

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
This commit is contained in:
Austin Songer 2021-08-09 01:29:42 -05:00 committed by GitHub
parent ec1d625735
commit 6989174e4b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
rules/cloud/azure_kubernetes_secret_or_config_object_access.yml Normal file
View File

@ -0,0 +1,27 @@
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
description: Identifies when a Kubernetes account access a sensitve objects such as configmaps or secrets.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.