Azure Kubernetes Rolebindings Created

Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/10/18"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
11(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to
12create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other
13high privileges roles.
14"""
15from = "now-20m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Kubernetes Rolebindings Created"
20note = """## Setup
21
22The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24    "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
25    "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
26]
27risk_score = 21
28rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89"
29severity = "low"
30tags = [
31    "Domain: Cloud",
32    "Data Source: Azure",
33    "Use Case: Identity and Access Audit",
34    "Tactic: Privilege Escalation",
35]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
41	("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
42	 "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and
43event.outcome:(Success or success)
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49
50[rule.threat.tactic]
51id = "TA0004"
52name = "Privilege Escalation"
53reference = "https://attack.mitre.org/tactics/TA0004/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top