GCP Break-glass Container Workload Deployed
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Sigma rule (View on GitHub)
1title: GCP Break-glass Container Workload Deployed
2id: 76737c19-66ee-4c07-b65a-a03301d1573d
3status: test
4description: |
5 Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
6references:
7 - https://cloud.google.com/binary-authorization
8author: Bryan Lim
9date: 2024-01-12
10tags:
11 - attack.privilege-escalation
12 - attack.defense-evasion
13 - attack.t1548
14logsource:
15 product: gcp
16 service: gcp.audit
17detection:
18 selection:
19 data.protoPayload.resource.type: 'k8s_cluster'
20 data.protoPayload.logName:
21 - 'cloudaudit.googleapis.com/activity'
22 - 'cloudaudit.googleapis.com%2Factivity'
23 data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'
24 keywords:
25 - 'image-policy.k8s.io/break-glass'
26 condition: selection and keywords
27falsepositives:
28 - Unknown
29level: medium
References
-
Provides centralized software supply-chain security for applications that run on GKE, Cloud Run, and Distributed Cloud.
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Abused Debug Privilege by Arbitrary Parent Processes
- CA Policy Removed by Non Approved Actor