security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0c69b63ff2225155cb3d8c794b2c3a0d297c7dfb
sigma-rules/rules/integrations
T
History
Samirbous 0c69b63ff2 [New] Kubernetes Secret get or list with Suspicious User Agent (#5974) 
* [New] Kubernetes Secret get or list via Scripting or Generic HTTP Client

After obtaining Kubernetes API credentials, adversaries often reach for generic HTTP stacks and scripting runtimes (curl, wget, Python requests, Go’s default client, and similar) instead of kubectl or in-cluster controllers that advertise purpose-built user agents. Those clients are easy to drive from a stolen kubeconfig, a compromised bastion,  or a reverse shell and are commonly used to enumerate or download Secret objects (tokens, registry credentials, TLS material, application keys).

* ++

* Update credential_access_kubernetes_secret_access_scripting_http_clients.toml
2026-05-02 16:14:17 +01:00
..
aws
[New] Diverse AWS rules (#5913)
2026-05-01 21:57:28 +01:00
aws_bedrock
[Tuning] Add mv_expand for gen_ai.policy.action field (#5296)
2025-11-11 07:37:40 +05:30
azure
Prep for Release 9.4 (#5965)
2026-04-23 00:13:05 +05:30
azure_openai
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
beaconing
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
cloud_defend
[New] Nsenter to PID 1 Namespace via Auditd/D4C (#5988)
2026-05-02 14:56:06 +01:00
cyberarkpas
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
ded
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
dga
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
endpoint
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
fim
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
gcp
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
github
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
google_workspace
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
kubernetes
[New] Kubernetes Secret get or list with Suspicious User Agent (#5974)
2026-05-02 16:14:17 +01:00
lmd
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
microsoft_exchange_online_message_trace
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
o365
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
okta
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
pad
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
problemchild
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30