Azure Kubernetes Secret or Config Object Access
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
Sigma rule (View on GitHub)
1title: Azure Kubernetes Secret or Config Object Access
2id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
3status: test
4description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
5references:
6 - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
7 - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
8 - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
9 - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
10author: Austin Songer @austinsonger
11date: 2021-08-07
12modified: 2022-08-23
13tags:
14 - attack.impact
15 - attack.t1485
16 - attack.t1496
17 - attack.t1489
18logsource:
19 product: azure
20 service: activitylogs
21detection:
22 selection:
23 operationName:
24 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
25 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
26 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
27 - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
28 condition: selection
29falsepositives:
30 - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
31level: medium
References
Related rules
- Azure Container Registry Created or Deleted
- Azure Kubernetes Cluster Created or Deleted
- Azure Kubernetes Network Policy Change
- Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
- Azure Kubernetes Sensitive Role Access