Azure Kubernetes Rolebindings Created
Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/10/18"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Austin Songer"]
11description = """
12Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
13(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to
14create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other
15high privileges roles.
16"""
17from = "now-20m"
18index = ["filebeat-*", "logs-azure*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Azure Kubernetes Rolebindings Created"
22note = """## Setup
23
24The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
25references = [
26 "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes",
27 "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/",
28]
29risk_score = 21
30rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89"
31severity = "low"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
38 ("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or
39 "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and
40event.outcome:(Success or success)
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[rule.threat.tactic]
48id = "TA0004"
49name = "Privilege Escalation"
50reference = "https://attack.mitre.org/tactics/TA0004/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure AD Global Administrator Role Assigned
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic
- Azure Active Directory PowerShell Sign-in
- Azure Application Credential Modification