Azure Kubernetes Secret or Config Object Access

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Sigma rule (View on GitHub)

 1title: Azure Kubernetes Secret or Config Object Access
 2id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
 3status: test
 4description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 7    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
 8    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
 9    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
10    - https://attack.mitre.org/matrices/enterprise/cloud/
11author: Austin Songer @austinsonger
12date: 2021/08/07
13modified: 2022/08/23
14tags:
15    - attack.impact
16logsource:
17    product: azure
18    service: activitylogs
19detection:
20    selection:
21        operationName:
22            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
23            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
24            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
25            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
26    condition: selection
27falsepositives:
28    - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
29level: medium

References

Related rules

to-top