Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
Sigma rule (View on GitHub)
1title: Google Cloud Kubernetes Secrets Modified or Deleted
2id: 2f0bae2d-bf20-4465-be86-1311addebaa3
3status: test
4description: Identifies when the Secrets are Modified or Deleted.
5references:
6 - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
7author: Austin Songer @austinsonger
8date: 2021/08/09
9modified: 2022/10/09
10tags:
11 - attack.credential_access
12logsource:
13 product: gcp
14 service: gcp.audit
15detection:
16 selection:
17 gcp.audit.method_name:
18 - io.k8s.core.v*.secrets.create
19 - io.k8s.core.v*.secrets.update
20 - io.k8s.core.v*.secrets.patch
21 - io.k8s.core.v*.secrets.delete
22 condition: selection
23falsepositives:
24 - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
25 - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
26level: medium
References
-
Autopilot Standard This document describes the audit logs created by Google Kubernetes Engine as part of Cloud Audit Logs. Overview Google Cloud services write audit logs to help you answer the que...
Read More
Related rules
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- Account Lockout
- Change to Authentication Method
- Google Cloud Kubernetes RoleBinding