GCP Break-glass Container Workload Deployed
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Sigma rule (View on GitHub)
1title: GCP Break-glass Container Workload Deployed
2id: 76737c19-66ee-4c07-b65a-a03301d1573d
3status: test
4description: |
5 Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
6references:
7 - https://cloud.google.com/binary-authorization
8author: Bryan Lim
9date: 2024-01-12
10tags:
11 - attack.defense-evasion
12 - attack.t1548
13logsource:
14 product: gcp
15 service: gcp.audit
16detection:
17 selection:
18 data.protoPayload.resource.type: 'k8s_cluster'
19 data.protoPayload.logName:
20 - 'cloudaudit.googleapis.com/activity'
21 - 'cloudaudit.googleapis.com%2Factivity'
22 data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'
23 keywords:
24 - 'image-policy.k8s.io/break-glass'
25 condition: selection and keywords
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- CA Policy Removed by Non Approved Actor
- CA Policy Updated by Non Approved Actor
- New CA Policy by Non-approved Actor
- User Added To Group With CA Policy Modification Access
- User Removed From Group With CA Policy Modification Access