Kubernetes Secrets Modified or Deleted

Detects when Kubernetes Secrets are Modified or Deleted.

Sigma rule (View on GitHub)

 1title: Kubernetes Secrets Modified or Deleted
 2id: 58d31a75-a4f8-4c40-985b-373d58162ca2
 3related:
 4    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3
 5      type: similar
 6status: experimental
 7description: |
 8        Detects when Kubernetes Secrets are Modified or Deleted.
 9references:
10    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
11    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
12author: kelnage
13date: 2024/07/11
14tags:
15    - attack.credential_access
16logsource:
17    product: kubernetes
18    service: audit
19detection:
20    selection:
21        objectRef.resource: 'secrets'
22        verb:
23            - 'create'
24            - 'delete'
25            - 'patch'
26            - 'replace'
27            - 'update'
28    condition: selection
29falsepositives:
30    - Secrets being modified or deleted may be performed by a system administrator.
31    - Automated processes may need to take these actions and may need to be filtered.
32level: medium

References

Related rules

to-top