GCP Break-glass Container Workload Deployed

Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.

Sigma rule (View on GitHub)

 1title: GCP Break-glass Container Workload Deployed
 2id: 76737c19-66ee-4c07-b65a-a03301d1573d
 3status: test
 4description: |
 5        Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
 6references:
 7    - https://cloud.google.com/binary-authorization
 8author: Bryan Lim
 9date: 2024-01-12
10tags:
11    - attack.defense-evasion
12    - attack.t1548
13logsource:
14    product: gcp
15    service: gcp.audit
16detection:
17    selection:
18        data.protoPayload.resource.type: 'k8s_cluster'
19        data.protoPayload.logName:
20            - 'cloudaudit.googleapis.com/activity'
21            - 'cloudaudit.googleapis.com%2Factivity'
22        data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'
23    keywords:
24        - 'image-policy.k8s.io/break-glass'
25    condition: selection and keywords
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top