security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
338548a3063beaed310d8a4d565f70a9170c4954
sigma-rules/rules/integrations
T
History
Samirbous 338548a306 [New] Kubernetes Secret get or list from Node or Pod Service Account (#5973) 
* [New] Kubernetes Secret get or list from Node or Pod Service Account

Kubernetes audit identities for kubelet (`system:node:*`) and workloads (`system:serviceaccount:*`) are meant to operate with tight, predictable API usage. Direct `get` or `list` on the Secrets API from those principals is
often a sign of credential access.

* Update credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml

* Update credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml
2026-05-02 11:48:24 +01:00
..
aws
[New] Diverse AWS rules (#5913)
2026-05-01 21:57:28 +01:00
aws_bedrock
[Tuning] Add mv_expand for gen_ai.policy.action field (#5296)
2025-11-11 07:37:40 +05:30
azure
Prep for Release 9.4 (#5965)
2026-04-23 00:13:05 +05:30
azure_openai
[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151)
2025-09-30 00:36:29 -04:00
beaconing
[Rule Tuning] Add Supplemental Mitre Mappings (#5876)
2026-04-01 09:12:42 -05:00
cloud_defend
[Tuning/New] Namespace Manipulation Using Unshare (#6024)
2026-05-01 15:29:44 +01:00
cyberarkpas
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
ded
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
dga
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
endpoint
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
fim
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
gcp
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
github
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
google_workspace
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
kubernetes
[New] Kubernetes Secret get or list from Node or Pod Service Account (#5973)
2026-05-02 11:48:24 +01:00
lmd
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
microsoft_exchange_online_message_trace
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
o365
[Rule Tuning] Change event.dataset to data_stream.dataset (#5943)
2026-04-10 12:27:52 -04:00
okta
[Rule Tuning] Revert Event Dataset for Security Alert Index (#5994)
2026-04-28 13:17:03 -04:00
pad
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30
problemchild
Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909)
2026-04-22 17:36:35 +05:30