detection-rules
detection-rules copied to clipboard
Published
20 hours ago •
elastic
elastic
[New Rule] Azure Kubernetes Role or ClusterRole Modified or Deleted
Description
Identifies when a Azure Kubernetes Role/ClusterRole is Created or Modified
Required Info
Target indexes
filebeat-*, logs-azure*
Platforms
Azure
Optional Info
Query
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
(MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE or
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE or
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION or
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION or
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE or
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE or
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION or
MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION) and
event.outcome:(Success or success)
New fields required in ECS/data sources for this rule?
Related issues or PRs
False Positives
MITRE
| Tactic | Technique ID | Technique Name | Sub-Technique Name |
|---|---|---|---|
References
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}