Azure Kubernetes Secret or Config Object Access
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
Sigma rule (View on GitHub)
1title: Azure Kubernetes Secret or Config Object Access
2id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
3status: test
4description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
5references:
6 - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
7 - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
8 - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
9 - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
10 - https://attack.mitre.org/matrices/enterprise/cloud/
11author: Austin Songer @austinsonger
12date: 2021-08-07
13modified: 2022-08-23
14tags:
15 - attack.impact
16logsource:
17 product: azure
18 service: activitylogs
19detection:
20 selection:
21 operationName:
22 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
23 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
24 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
25 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
26 condition: selection
27falsepositives:
28 - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
29level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted