security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a4a05f322b87d8ea9d653643dfd843a90773569
sigma-rules/rules/integrations/kubernetes
T
History
Samirbous 0a4a05f322 [New] Kubernetes Rapid Secret GET Activity Against Multiple Objects (#5967) 
* [New] Kubernetes Rapid Secret GET Activity Against Multiple Objects

Detects multiple k8 get secret calls for unique secret names in a short period of time (rule interval default to every 5m):

* Update credential_access_kubernetes_multiple_secret_retrieval_burst.toml

* Update credential_access_kubernetes_multiple_secret_retrieval_burst.toml

* Update credential_access_kubernetes_multiple_secret_retrieval_burst.toml

* Update credential_access_kubernetes_multiple_secret_retrieval_burst.toml
2026-05-02 10:43:13 +01:00
..
credential_access_azure_arc_proxy_secret_configmap_access.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
credential_access_get_secrets_access.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
credential_access_kubernetes_multiple_secret_retrieval_burst.toml
[New] Kubernetes Rapid Secret GET Activity Against Multiple Objects (#5967)
2026-05-02 10:43:13 +01:00
defense_evasion_events_deleted.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_denied_service_account_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
discovery_endpoint_permission_enumeration_by_anonymous_user.toml
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
discovery_endpoint_permission_enumeration_by_user_and_srcip.toml
[Rule Tuning] kubernetes.audit.userAgent --> user_agent.original Conversion (#5808)
2026-03-05 14:13:30 +01:00
discovery_kubernetes_multi_resource_setup_recon.toml
[New] Kubernetes Multi-Resource Discovery (#5971)
2026-05-02 10:32:50 +01:00
discovery_suspicious_self_subject_review.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_anonymous_create_update_patch_pod_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_forbidden_creation_request.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_forbidden_request_from_unsual_user_agent.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_unusual_request_response_by_user_agent.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
execution_user_exec_to_pod.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
initial_access_anonymous_request_authorized.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_cluster_admin_rolebinding_created.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_exposed_service_created_with_type_nodeport.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
persistence_sensitive_role_creation_or_modification.toml
[Rule Tuning] kubernetes.audit.userAgent --> user_agent.original Conversion (#5808)
2026-03-05 14:13:30 +01:00
persistence_service_account_bound_to_clusterrole.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_container_created_with_excessive_linux_capabilities.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_hostipc.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_hostnetwork.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_hostpid.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_privileged_pod_created.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_sensitive_workload_modification_by_user_agent.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_service_account_rbac_write_operation.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
privilege_escalation_suspicious_assignment_of_controller_service_account.toml
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00