Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
Sigma rule (View on GitHub)
1title: Google Cloud Kubernetes Secrets Modified or Deleted
2id: 2f0bae2d-bf20-4465-be86-1311addebaa3
3status: test
4description: Identifies when the Secrets are Modified or Deleted.
5references:
6 - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
7author: Austin Songer @austinsonger
8date: 2021-08-09
9modified: 2022-10-09
10tags:
11 - attack.credential-access
12logsource:
13 product: gcp
14 service: gcp.audit
15detection:
16 selection:
17 gcp.audit.method_name:
18 - io.k8s.core.v*.secrets.create
19 - io.k8s.core.v*.secrets.update
20 - io.k8s.core.v*.secrets.patch
21 - io.k8s.core.v*.secrets.delete
22 condition: selection
23falsepositives:
24 - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25 - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
26level: medium
References
-
Autopilot Standard This document describes the audit logs created by Google Kubernetes Engine as part of Cloud Audit Logs. Overview Google Cloud services write audit logs to help you answer the que...
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- APT31 Judgement Panda Activity