From a9364beef97e6dc297ef23c0955f489811e0d25d Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Mon, 19 Sep 2022 13:22:20 -0400
Subject: [PATCH] [New Rule] Kubernetes Denied Service Account Request (#2299)

* [New Rule] Kubernetes Denied Service Account Request

## Issue
#2040

## Summary
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.

* Update discovery_denied_service_account_request.toml

updated the query after testing to reduce false positives

* Update rules/integrations/kubernetes/discovery_denied_service_account_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 detection_rules/etc/non-ecs-schema.json       |  3 +-
 ...covery_denied_service_account_request.toml | 61 +++++++++++++++++++
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 rules/integrations/kubernetes/discovery_denied_service_account_request.toml

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 6d2691150..45334cc79 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -83,6 +83,7 @@
     "kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
     "kubernetes.audit.requestObject.spec.type": "keyword",
     "kubernetes.audit.requestObject.rules.resources": "keyword",
-    "kubernetes.audit.requestObject.rules.verb": "keyword"
+    "kubernetes.audit.requestObject.rules.verb": "keyword",
+    "kubernetes.audit.responseStatus.reason": "keyword"
   }
 }
diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml
new file mode 100644
index 000000000..2214c59ff
--- /dev/null
+++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml
@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2022/09/13"
+integration = "kubernetes"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2022/09/15"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects when a service account makes an unauthorized request for resources from the API server. Service
+accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to
+the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may
+have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate
+further movement or execution within the cluster.
+"""
+false_positives = [
+    """
+    Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious
+    problem within the cluster. This behavior should be investigated further.
+    """,
+]
+index = ["logs-kubernetes.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Denied Service Account Request"
+note = """## Setup
+
+The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections",
+    "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens",
+]
+risk_score = 47
+rule_id = "63c056a0-339a-11ed-a261-0242ac120002"
+severity = "medium"
+tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Discovery"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "kubernetes.audit_logs" 
+  and kubernetes.audit.user.username: system\:serviceaccount\:* 
+  and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid" 
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1613"
+name = "Container and Resource Discovery"
+reference = "https://attack.mitre.org/techniques/T1613/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+