Kubernetes Secrets Modified or Deleted

calendar Aug 12, 2024 · attack.credential-access  ·
Share on: linkedin copy

Detects when Kubernetes Secrets are Modified or Deleted.

Sigma rule (View on GitHub)

 1title: Kubernetes Secrets Modified or Deleted
 2id: 58d31a75-a4f8-4c40-985b-373d58162ca2
 3related:
 4    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3
 5      type: similar
 6status: experimental
 7description: |
 8        Detects when Kubernetes Secrets are Modified or Deleted.
 9references:
10    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
12author: kelnage
13date: 2024-07-11
14tags:
15    - attack.credential-access
16logsource:
17    product: kubernetes
18    service: audit
19detection:
20    selection:
21        objectRef.resource: 'secrets'
22        verb:
23            - 'create'
24            - 'delete'
25            - 'patch'
26            - 'replace'
27            - 'update'
28    condition: selection
29falsepositives:
30    - Secrets being modified or deleted may be performed by a system administrator.
31    - Automated processes may need to take these actions and may need to be filtered.
32level: medium

References

  • kube-apiserver Audit Configuration (v1)

    Resource Types Event EventList Policy PolicyList Event Appears in: EventList Event captures all the information that can be included in an API audit log. FieldDescription apiVersionstringaudit.k8s.io/v1 kindstringEvent level [Required] Level AuditLevel at which event was generated auditID [Required] k8s.io/apimachinery/pkg/types.UID Unique audit ID, generated for each request. stage [Required] Stage Stage of the request handling when this event instance was generated. requestURI [Required] string RequestURI is the request URI as sent by the client to a server.


    Read More

  • A Guide to Audit Kubernetes Secrets for Compliance

    Kubernetes secrets store sensitive data in encrypted form, but they can also create compliance issues if not handled well. This guide will help you audit Kubernetes secrets for compliance with best practices and tools.


    Read More

Related rules

to-top