Introduce versions of rules for K8s audit log format #5259
+179
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We already have a number of rules that detect Kubernetes intrusions in sigmaHQ, but they are all written for the various formats provided by the cloud providers. This PR includes versions of the rules that can be run over the format produced by the Kubernetes audit log itself.
kelnage
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
We already have a number of rules that detect Kubernetes (K8s) intrusions in SigmaHQ/sigma, but they are all written for the various formats provided by the cloud providers (e.g., this rule for Azure, and the same rule, but for GCP). This PR creates versions of those rules that can be run over the format produced by the K8s audit log itself.
See this documentation for more details about the K8s audit log.
Changelog
new: Kubernetes Admission Controller Modification
new: Kubernetes CronJob/Job Modification
new: Kubernetes Rolebinding Modification
new: Kubernetes Secrets Modified or Deleted
new: Kubernetes Unauthorized or Unauthenticated Access
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions