[New Rule] Azure Kubernetes Role or ClusterRole Modified or Deleted

[austinsonger]

Description

Identifies when a Azure Kubernetes Role/ClusterRole is Created or Modified

Required Info

Target indexes

filebeat-*, logs-azure*

Platforms

Azure

Optional Info

Query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
	(MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE or
	 MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE or 
	 MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION or 
         MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION or
	 MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE or 
	 MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE or 
	 MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION or
         MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION) and 
event.outcome:(Success or success)

New fields required in ECS/data sources for this rule?

Related issues or PRs

False Positives

MITRE

Tactic	Technique ID	Technique Name	Sub-Technique Name

References

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.