GCP Kubernetes Rolebindings Created or Patched
Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role bindings to assign roles to Kubernetes subjects (users, groups, or service accounts).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/06"
3maturity = "deprecated"
4deprecation_date = "2022/10/04"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2022/10/04"
8integration = "gcp"
9
10[rule]
11author = ["Elastic", "Austin Songer"]
12description = """
13Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role
14bindings to assign roles to Kubernetes subjects (users, groups, or service accounts).
15"""
16from = "now-20m"
17index = ["filebeat-*", "logs-gcp*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "GCP Kubernetes Rolebindings Created or Patched"
21note = """## Setup
22
23The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25 "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
26 "https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/",
27 "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
28]
29risk_score = 47
30rule_id = "2f0bae2d-bf20-4465-be86-1311addebaa3"
31severity = "medium"
32tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or
38io.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or
39io.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success and
40not gcp.audit.authentication_info.principal_email:"system:addon-manager"
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[rule.threat.tactic]
48id = "TA0004"
49name = "Privilege Escalation"
50reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
Autopilot Standard This document describes the audit logs created by Google Kubernetes Engine as part of Cloud Audit Logs. Overview Google Cloud services write audit logs to help you answer the que...
Read More -
erictune deads2k liggitt title: Using RBAC Authorization Role-Based Access Control ("RBAC") uses the "rbac.authorization.k8s.io" API group to drive authorization decisions, allowing admins to dynam...
Read More -
Autopilot Standard This page shows you how to authorize actions on resources in your Google Kubernetes Engine (GKE) clusters using the built-in role-based access control (RBAC) mechanism in Kuberne...
Read More
Related rules
- AWS RDS Snapshot Export
- Web Application Suspicious Activity: No User Agent
- DNS Activity to the Internet
- Potential Privilege Escalation via Local Kerberos Relay over LDAP
- Strace Process Activity