[New Rule] Kubernetes Denied Service Account Request (#2299)

* [New Rule] Kubernetes Denied Service Account Request ## Issue #2040 ## Summary This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster. * Update discovery_denied_service_account_request.toml updated the query after testing to reduce false positives * Update rules/integrations/kubernetes/discovery_denied_service_account_request.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2022-09-19 13:22:20 -04:00
parent 99dcfe2055
commit a9364beef9
2 changed files with 63 additions and 1 deletions
@@ -83,6 +83,7 @@
    "kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
    "kubernetes.audit.requestObject.spec.type": "keyword",
    "kubernetes.audit.requestObject.rules.resources": "keyword",
-    "kubernetes.audit.requestObject.rules.verb": "keyword"
+    "kubernetes.audit.requestObject.rules.verb": "keyword",
+    "kubernetes.audit.responseStatus.reason": "keyword"
  }
 }
@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2022/09/13"
+integration = "kubernetes"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/09/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when a service account makes an unauthorized request for resources from the API server. Service
+accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to
+the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may
+have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate
+further movement or execution within the cluster.
+"""
+false_positives = [
+    """
+    Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious
+    problem within the cluster. This behavior should be investigated further.
+    """,
+]
+index = ["logs-kubernetes.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Denied Service Account Request"
+note = """## Setup
+
+The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections",
+    "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens",
+]
+risk_score = 47
+rule_id = "63c056a0-339a-11ed-a261-0242ac120002"
+severity = "medium"
+tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Discovery"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "kubernetes.audit_logs" 
+  and kubernetes.audit.user.username: system\:serviceaccount\:* 
+  and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid" 
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1613"
+name = "Container and Resource Discovery"
+reference = "https://attack.mitre.org/techniques/T1613/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+