security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a9364beef97e6dc297ef23c0955f489811e0d25d
sigma-rules/rules
T
History
Isai a9364beef9 [New Rule] Kubernetes Denied Service Account Request (#2299) 
* [New Rule] Kubernetes Denied Service Account Request

## Issue
#2040

## Summary
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.

* Update discovery_denied_service_account_request.toml

updated the query after testing to reduce false positives

* Update rules/integrations/kubernetes/discovery_denied_service_account_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2022-09-19 13:22:20 -04:00
..
_deprecated
[Deprecate Rule] Suspicious Process from Conhost (#2222)
2022-08-16 16:32:24 +02:00
apm
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
cross-platform
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
integrations
[New Rule] Kubernetes Denied Service Account Request (#2299)
2022-09-19 13:22:20 -04:00
linux
Linux rule to detect potential ssh brute force attack (#2291)
2022-09-19 20:26:18 +05:30
macos
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
ml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
network
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
promotions
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
windows
[New Rule] Multiple Vault Web credentials were read (#2281)
2022-09-19 19:07:05 +02:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink