Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
Sigma rule (View on GitHub)
1title: Google Cloud Kubernetes Secrets Modified or Deleted
2id: 2f0bae2d-bf20-4465-be86-1311addebaa3
3status: test
4description: Identifies when the Secrets are Modified or Deleted.
5references:
6 - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
7author: Austin Songer @austinsonger
8date: 2021/08/09
9modified: 2022/10/09
10tags:
11 - attack.credential_access
12logsource:
13 product: gcp
14 service: gcp.audit
15detection:
16 selection:
17 gcp.audit.method_name:
18 - io.k8s.core.v*.secrets.create
19 - io.k8s.core.v*.secrets.update
20 - io.k8s.core.v*.secrets.patch
21 - io.k8s.core.v*.secrets.delete
22 condition: selection
23falsepositives:
24 - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25 - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
26level: medium
References
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- Account Lockout
- Change to Authentication Method
- Google Cloud Kubernetes RoleBinding