security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267)

Browse Source 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 27ba204f1c)
This commit is contained in:
Austin Songer
2021-10-15 13:42:25 -05:00
committed by github-actions[bot]
parent 8f55556006
commit 8bb2d27451
1 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
+47
View File
@@ -0,0 +1,47 @@
[metadata]
creation_date = "2021/06/06"
maturity = "production"
updated_date = "2021/10/14"
integration = "gcp"
[rule]
author = ["Elastic", "Austin Songer"]
description = """
Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects
(users, groups, or service accounts) with role bindings and cluster role bindings.
"""
from = "now-20m"
index = ["filebeat-*", "logs-gcp*"]
language = "kuery"
license = "Elastic License v2"
name = "GCP Kubernetes Rolebindings Created or Patched "
note = """## Config
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
"https://unofficial-kubernetes.readthedocs.io/en/latest/admin/authorization/rbac/",
"https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control",
]
risk_score = 47
rule_id = "2f0bae2d-bf20-4465-be86-1311addebaa3"
severity = "medium"
tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or
io.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or
io.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"