Azure Kubernetes Secret or Config Object Access

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Sigma rule (View on GitHub)

 1title: Azure Kubernetes Secret or Config Object Access
 2id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
 3status: test
 4description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 7    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
 8    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
 9    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
10author: Austin Songer @austinsonger
11date: 2021-08-07
12modified: 2022-08-23
13tags:
14    - attack.impact
15    - attack.t1485
16    - attack.t1496
17    - attack.t1489
18logsource:
19    product: azure
20    service: activitylogs
21detection:
22    selection:
23        operationName:
24            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
25            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
26            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
27            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
28    condition: selection
29falsepositives:
30    - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
31level: medium

References

Related rules

to-top