diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml new file mode 100644 index 000000000..1fa2c5501 --- /dev/null +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2021/10/18" +maturity = "production" +updated_date = "2021/11/22" +integration = "azure" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects +(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create +bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges +roles. +""" +from = "now-20m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Azure Kubernetes Rolebindings Created" +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", +] +risk_score = 21 +rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" +severity = "low" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:azure.activitylogs and azure.activitylogs.operation_name: + ("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or + "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and +event.outcome:(Success or success) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"