From fd5ad4b9405cd7b1f7078eedc481dbbce673e01b Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Thu, 25 Nov 2021 00:05:43 -0600
Subject: [PATCH] Update azure_kubernetes_admission_controller.yml

---
 .../azure/azure_kubernetes_admission_controller.yml   | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml
index 5f27353ea..6527bb32b 100644
--- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml
+++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml
@@ -10,16 +10,19 @@ logsource:
   product: azure
   service: azure.activitylogs
 detection:
-    selection:
+    selection1:
           properties.message|startswith:
-            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO/
-            - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO/
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
           properties.message|endswith:
             - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
             - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
+    selection2:
+          properties.message|startswith:
+            - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
+          properties.message|endswith:
             - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
             - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
-    condition: selection
+    condition: selection1 or selection2
 level: medium
 tags:
     - attack.persistence