[New Rule] Azure Kubernetes Secret or Config Object Access

[austinsonger]

Description

Identifies when a Kubernetes account access sensitive objects in a Kubernetes cluster.

Required Info

Target indexes

filebeat-*, logs-azure*

Optional Info

Query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
    (
        "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE" or
        "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE" or
        "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE" or
        "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE"
    ) and 
event.outcome:(Success or success)

New fields required in ECS/data sources for this rule?

Related issues or PRs

False Positives

MITRE

Tactic	Technique ID	Technique Name	Sub-Technique Name

References

• https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
• https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
• https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
• https://attack.mitre.org/matrices/enterprise/cloud/
• https://medium.com/mitre-engenuity/the-evolution-of-a-matrix-how-att-ck-for-containers-was-built-f5ca7fdbcb3f

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[austinsonger]

Just keeping it open.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.