Create gcp_kubernetes_secrets_modified_or_deleted.yml
This commit is contained in:
Austin Songer
@@ -0,0 +1,24 @@
|
||||
title: Google Cloud Kubernetes Secrets Modified or Deleted
|
||||
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
|
||||
description: Identifies when the Secrets are Modified or Deleted.
|
||||
author: Austin Songer
|
||||
status: experimental
|
||||
date: 2021/08/09
|
||||
references:
|
||||
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
|
||||
logsource:
|
||||
service: gcp.audit
|
||||
detection:
|
||||
selection:
|
||||
eventName:
|
||||
- io.k8s.core.v*.secrets.create
|
||||
- io.k8s.core.v*.secrets.update
|
||||
- io.k8s.core.v*.secrets.patch
|
||||
- io.k8s.core.v*.secrets.delete
|
||||
condition: selection
|
||||
level: medium
|
||||
tags:
|
||||
- attack.credential_access
|
||||
falsepositives:
|
||||
- Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
|
||||
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
||||
Reference in New Issue
Block a user