* [New Rule] Kubernetes Suspicious Assignment of Controller Service Account
Issues
--
#2034
Summary
--
This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.
* Update privilege_escalation_suspicious_assignment_of_controller_service_account.toml
updated query after testing
* Update non-ecs-schema.json
added new field used in query update
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New Rule] Kubernetes Denied Service Account Request
## Issue
#2040
## Summary
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.
* Update discovery_denied_service_account_request.toml
updated the query after testing to reduce false positives
* Update rules/integrations/kubernetes/discovery_denied_service_account_request.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Anonymous Request Authorized
## Issue
#2038
## Summary
This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use
anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster.
This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.
* [New Rule] Kubernetes Suspicious Change to Privileges of Running Security Context
## Issue
https://github.com/elastic/detection-rules/issues/2032
## Summary
* Delete non-ecs-schema.json
* Delete privilege_escalation_suspicious_change_to_privileges_of_running_security_context.toml
* Create non-ecs-schema.json
* Update detection_rules/etc/non-ecs-schema.json
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* Create discovery_suspicious_self_subject_review.toml
Adding new rule
* non-ecs-schema fields added and query change to specify fields
added non ecs-schema fields for all coming k8s rules and added specific fields to the query instead of using regex
* Update discovery_suspicious_self_subject_review.toml
* Update rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Pod Created With HostPID
new rule toml for pod created with hostPID and updated non-ecs-schema with all k8s fields
* Update privilege_escalation_pod_created_with_hostpid.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Pod Created With HostNetwork
new rule toml for pod created with hostNetwork and added all k8s fields to non-ecs-schema json
* Update privilege_escalation_pod_created_with_hostnetwork.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Pod Created With HostIPC
new rule toml file for pod created with hostIPC and k8s fields added to non-ecs-schema json
* Rename privilege_escalation_pod_created_with_hostIPC.toml to privilege_escalation_pod_created_with_hostipc.toml
* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [New Rule] Kubernetes Exposed Service Created With Type NodePort
new rule toml for exposed service created with type nodeport and added all k8s fields to non-ecs-schema
* Update rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
I'm removing the event.dataset query portion of the rule because this field has been removed from the current mapping so this rule is not triggering with the most updated K8s Integrations.
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
* Create execution_user_exec_to_pod.toml
* Update execution_user_exec_to_pod.toml
* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
* Update non-ecs-schema.json
* Update execution_user_exec_to_pod.toml
* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* Update execution_user_exec_to_pod.toml
* Update execution_user_exec_to_pod.toml
* Update execution_user_exec_to_pod.toml
* toml-linted file and add to false positive
toml-linted the file and added to the false positive description
* Create notepad.sct
Added this back into the repo, deleted by mistake.
* added min_stack_version based on integration
min stack version determined by integration support of necessary fields
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Isai