security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] GCP Kubernetes Rolebindings Created or Patched (#1718)

Browse Source 
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 38ae64f729)
This commit is contained in:
Jonhnathan
2022-01-27 09:31:51 -03:00
committed by github-actions[bot]
parent a5b1ac9e0e
commit b753a05c72
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/06/06"
maturity = "production"
updated_date = "2021/12/13"
updated_date = "2022/01/24"
integration = "gcp"
[rule]
@@ -33,7 +33,8 @@ type = "query"
query = '''
event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or
io.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or
io.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success
io.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success and
not gcp.audit.authentication_info.principal_email:"system:addon-manager"
'''