sigma-rules/rules/integrations/kubernetes at 838e926058d207cebc2392fb8da9750653765159 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Samirbous 338548a306 [New] Kubernetes Secret get or list from Node or Pod Service Account (#5973 )

* [New] Kubernetes Secret get or list from Node or Pod Service Account

Kubernetes audit identities for kubelet (`system:node:*`) and workloads (`system:serviceaccount:*`) are meant to operate with tight, predictable API usage. Direct `get` or `list` on the Secrets API from those principals is
often a sign of credential access.

* Update credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml

* Update credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml

2026-05-02 11:48:24 +01:00

..

credential_access_azure_arc_proxy_secret_configmap_access.toml

[Rule Tuning] Add Supplemental Mitre Mappings (#5876 )

2026-04-01 09:12:42 -05:00

credential_access_get_secrets_access.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

credential_access_kubernetes_multiple_secret_retrieval_burst.toml

[New] Kubernetes Rapid Secret GET Activity Against Multiple Objects (#5967 )

2026-05-02 10:43:13 +01:00

credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml

[New] Kubernetes Secret get or list from Node or Pod Service Account (#5973 )

2026-05-02 11:48:24 +01:00

credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml

[New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces (#5966 )

2026-05-02 10:55:30 +01:00

defense_evasion_events_deleted.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_denied_service_account_request.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

discovery_endpoint_permission_enumeration_by_anonymous_user.toml

[Rule Tuning] Add Supplemental Mitre Mappings (#5876 )

2026-04-01 09:12:42 -05:00

discovery_endpoint_permission_enumeration_by_user_and_srcip.toml

[Rule Tuning] kubernetes.audit.userAgent --> user_agent.original Conversion (#5808 )

2026-03-05 14:13:30 +01:00

discovery_kubernetes_multi_resource_setup_recon.toml

[New] Kubernetes Multi-Resource Discovery (#5971 )

2026-05-02 10:32:50 +01:00

discovery_suspicious_self_subject_review.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_anonymous_create_update_patch_pod_request.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_forbidden_creation_request.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_forbidden_request_from_unsual_user_agent.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_unusual_request_response_by_user_agent.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

execution_user_exec_to_pod.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

initial_access_anonymous_request_authorized.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_cluster_admin_rolebinding_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_exposed_service_created_with_type_nodeport.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

persistence_sensitive_role_creation_or_modification.toml

[Rule Tuning] kubernetes.audit.userAgent --> user_agent.original Conversion (#5808 )

2026-03-05 14:13:30 +01:00

persistence_service_account_bound_to_clusterrole.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_container_created_with_excessive_linux_capabilities.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_pod_created_with_hostipc.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_pod_created_with_hostnetwork.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_pod_created_with_hostpid.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_privileged_pod_created.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_sensitive_rbac_change_followed_by_workload_modification.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_sensitive_workload_modification_by_user_agent.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_service_account_rbac_write_operation.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00

privilege_escalation_suspicious_assignment_of_controller_service_account.toml

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

2026-04-10 12:27:52 -04:00