Azure Kubernetes Rolebindings Created

 1[metadata]
 2creation_date = "2021/10/18"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = """
10Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
11(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to
12create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other
13high privileges roles.
14"""
15from = "now-20m"
16index = ["filebeat-*", "logs-azure*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Azure Kubernetes Rolebindings Created"
20note = """## Setup
21
22The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
23references = [
24    "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
25    "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
26]
27risk_score = 21
28rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89"
29severity = "low"
30tags = [
31    "Domain: Cloud",
32    "Data Source: Azure",
33    "Use Case: Identity and Access Audit",
34    "Tactic: Privilege Escalation",
35]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
41	("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
42	 "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and
43event.outcome:(Success or success)
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49
50[rule.threat.tactic]
51id = "TA0004"
52name = "Privilege Escalation"
53reference = "https://attack.mitre.org/tactics/TA0004/"