security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/rules_building_block/discovery_kubectl_configuration_discovery.toml
T
Ruben Groenewoud 440ff43810 [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules (#5685) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules
2026-02-06 09:38:56 +01:00

71 lines
2.2 KiB
TOML
Raw Permalink Blame History

[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/02/05"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule detects the execution of kubectl commands that are commonly used for configuration discovery in Kubernetes
environments. It looks for process events where kubectl is executed with arguments that query configuration information,
such as configmaps. In environments where kubectl is not expected to be used, this could indicate potential reconnaissance
activity by an adversary.
"""
from = "now-119m"
index = [
"logs-endpoint.events.*",
"endgame-*",
"auditbeat-*",
"logs-auditd_manager.auditd-*",
"logs-crowdstrike.fdr*",
"logs-cloud_defend.process*",
]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Kubectl Configuration Discovery"
risk_score = 21
rule_id = "98ac2919-f8b3-4d2d-b85b-e1c13ac0c68b"
severity = "low"
tags = [
"Domain: Container",
"Domain: Endpoint",
"Domain: Kubernetes",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: Elastic Defend for Containers",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and
process.name == "kubectl" and process.args in ("get", "describe") and process.args in ("configmap", "configmaps") and
not ?process.parent.args in (
"/hooks/schedule_sync_configmap.sh", "/service-fabric/generate-support-bundle.sh", "/hooks/onstartup_sync_configmap.sh"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
Reference in New Issue View Git Blame Copy Permalink