Azure Kubernetes Rolebindings Created

 1[metadata]
 2creation_date = "2021/10/18"
 3integration = ["azure"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
13(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to
14create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other
15high privileges roles.
16"""
17from = "now-20m"
18index = ["filebeat-*", "logs-azure*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Azure Kubernetes Rolebindings Created"
22note = """## Setup
23
24The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
25references = [
26    "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
27    "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
28]
29risk_score = 21
30rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
38	("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
39	 "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and
40event.outcome:(Success or success)
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[rule.threat.tactic]
48id = "TA0004"
49name = "Privilege Escalation"
50reference = "https://attack.mitre.org/tactics/TA0004/"