Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format

new: Kubernetes Admission Controller Modification
new: Kubernetes CronJob/Job Modification
new: Kubernetes Rolebinding Modification
new: Kubernetes Secrets Modified or Deleted
new: Kubernetes Unauthorized or Unauthenticated Access 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml

@@ -0,0 +1,39 @@
+title: Kubernetes Admission Controller Modification
+id: eed82177-38f5-4299-8a76-098d50d225ab
+related:
+    - id: 6ad91e31-53df-4826-bd27-0166171c8040
+      type: similar
+status: experimental
+description: |
+    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
+author: kelnage
+date: 2024/07/11
+tags:
+    - attack.persistence
+    - attack.t1078
+    - attack.credential_access
+    - attack.t1552
+    - attack.t1552.007
+logsource:
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        objectRef.apiGroup: 'admissionregistration.k8s.io'
+        objectRef.resource:
+            - 'mutatingwebhookconfigurations'
+            - 'validatingwebhookconfigurations'
+        verb:
+            - 'create'
+            - 'delete'
+            - 'patch'
+            - 'replace'
+            - 'update'
+    condition: selection
+falsepositives:
+    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml

@@ -0,0 +1,39 @@
+title: Kubernetes CronJob/Job Modification
+id: 0c9b3bda-41a6-4442-9345-356ae86343dc
+related:
+    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
+      type: similar
+status: experimental
+description: |
+    Detects when a Kubernetes CronJob or Job is created or modified.
+    A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
+    An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
+author: kelnage
+date: 2024/07/11
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.execution
+logsource:
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        objectRef.apiGroup: 'batch'
+        objectRef.resource:
+            - 'cronjobs'
+            - 'jobs'
+        verb:
+            - 'create'
+            - 'delete'
+            - 'patch'
+            - 'replace'
+            - 'update'
+    condition: selection
+falsepositives:
+    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml

@@ -0,0 +1,35 @@
+title: Kubernetes Rolebinding Modification
+id: 10b97915-ec8d-455f-a815-9a78926585f6
+related:
+    - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
+      type: similar
+status: experimental
+description: |
+    Detects when a Kubernetes Rolebinding is created or modified.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
+author: kelnage
+date: 2024/07/11
+tags:
+    - attack.privilege_escalation
+logsource:
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        objectRef.apiGroup: 'rbac.authorization.k8s.io'
+        objectRef.resource:
+            - 'clusterrolebindings'
+            - 'rolebindings'
+        verb:
+            - 'create'
+            - 'delete'
+            - 'patch'
+            - 'replace'
+            - 'update'
+    condition: selection
+falsepositives:
+    - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml

@@ -0,0 +1,32 @@
+title: Kubernetes Secrets Modified or Deleted
+id: 58d31a75-a4f8-4c40-985b-373d58162ca2
+related:
+    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3
+      type: similar
+status: experimental
+description: |
+    Detects when Kubernetes Secrets are Modified or Deleted.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
+author: kelnage
+date: 2024/07/11
+tags:
+    - attack.credential_access
+logsource:
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        objectRef.resource: 'secrets'
+        verb:
+            - 'create'
+            - 'delete'
+            - 'patch'
+            - 'replace'
+            - 'update'
+    condition: selection
+falsepositives:
+    - Secrets being modified or deleted may be performed by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml

@@ -0,0 +1,25 @@
+title: Kubernetes Unauthorized or Unauthenticated Access
+id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
+status: experimental
+description: |
+    Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
+    This may indicate an attacker attempting to leverage credentials they have obtained.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
+author: kelnage
+date: 2024/04/12
+tags:
+    - attack.privilege_escalation
+logsource:
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        responseStatus.code:
+            - 401 # Unauthorized
+            - 403 # Forbidden
+    condition: selection
+falsepositives:
+    - A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
+level: low