Introduce versions of rules for K8s audit log format

rules/cloud/kubernetes/audit/kubernetes_audit_change_admission_controller.yml

@@ -0,0 +1,38 @@
+title: Kubernetes Admission Controller Modification
+id: eed82177-38f5-4299-8a76-098d50d225ab
+related:
+    - id: 6ad91e31-53df-4826-bd27-0166171c8040
+      type: similar
+status: experimental
+description: |
+    Detects when a modification (create, update or replace) action is taken that
+    affects mutating or validating webhook configurations, as they can be used by
+    an adversary to achieve perisistence or exfiltrate access credentials.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
+date: 2025-04-09
+tags:
+    - attack.persistence
+    - attack.t1078
+    - attack.credential_access
+    - attack.t1552.007
+logsource:
+    product: kubernetes
+    service: audit.k8s.io/v1
+detection:
+    selection:
+        objectRef.apiGroup: admissionregistration.k8s.io
+        objectRef.resource:
+            - mutatingwebhookconfigurations
+            - validatingwebhookconfigurations
+        verb:
+            - create
+            - patch
+            - update
+            - replace
+    condition: selection
+falsepositives:
+    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/cloud/kubernetes/audit/kubernetes_audit_cronjob_modification.yml

@@ -0,0 +1,39 @@
+title: Kubernetes CronJob/Job Modification
+id: 0c9b3bda-41a6-4442-9345-356ae86343dc
+related:
+    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
+      type: similar
+status: experimental
+description: |
+    Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes
+    Job creates one or more pods to accomplish a specific task, and a CronJob
+    creates Jobs on a recurring schedule. An adversary can take advantage of this
+    Kubernetes object to schedule Jobs to run containers that execute malicious
+    code within a cluster, allowing them to achieve persistence.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
+date: 2025-04-09
+tags:
+    - attack.persistence
+    - attack.execution
+    - attack.t1603
+logsource:
+    product: kubernetes
+    service: audit.k8s.io/v1
+detection:
+    selection:
+        objectRef.apiGroup: batch
+        objectRef.resource:
+            - jobs
+            - cronjobs
+        verb:
+            - create
+            - patch
+            - replace
+            - update
+    condition: selection
+falsepositives:
+    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/cloud/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml

@@ -0,0 +1,34 @@
+title: Kubernetes Rolebinding Modification
+id: 10b97915-ec8d-455f-a815-9a78926585f6
+related:
+    - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
+      type: similar
+status: experimental
+description: |
+    Detects when a Kubernetes Rolebinding is created or modified.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
+date: 2025-04-09
+tags:
+    - attack.privilege_escalation
+    - attack.t1548
+logsource:
+    product: kubernetes
+    service: audit.k8s.io/v1
+detection:
+    selection:
+        objectRef.apiGroup: rbac.authorization.k8s.io
+        objectRef.resource:
+            - clusterrolebindings
+            - rolebindings
+        verb:
+            - create
+            - delete
+            - patch
+            - update
+    condition: selection
+falsepositives:
+    - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/cloud/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml

@@ -0,0 +1,32 @@
+title: Kubernetes Secrets Modified or Deleted
+id: 58d31a75-a4f8-4c40-985b-373d58162ca2
+related:
+    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3
+      type: similar
+status: experimental
+description: Identifies when Kubernetes Secrets are Modified or Deleted.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
+author: kelnage
+date: 2025-04-09
+tags:
+    - attack.credential_access
+    - attack.t1555.006
+logsource:
+    product: kubernetes
+    service: audit.k8s.io/v1
+detection:
+    selection:
+        objectRef.resource: secrets
+        verb:
+            - create
+            - delete
+            - patch
+            - replace
+            - update
+    condition: selection
+falsepositives:
+    - Secrets being modified or deleted may be performed by a system administrator.
+    - Automated processes may need to take these actions and may need to be filtered.
+level: medium

rules/cloud/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml

@@ -0,0 +1,27 @@
+title: Kubernetes Unauthorized or Unauthenticated Access
+id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
+status: experimental
+author: kelnage
+description: |
+    Detects when a request to the Kubernetes API is rejected due to lack of authorization or
+    due to an expired authentication token being used. This may indicate an attacker attempting
+    to leverage credentials they have obtained.
+references:
+    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
+    - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
+date: 2025-04-09
+tags:
+    - attack.privilege_escalation
+    - attack.t1134
+logsource:
+    product: kubernetes
+    service: audit.k8s.io/v1
+detection:
+    selection:
+        responseStatus.code:
+            - 401 # Unauthorized
+            - 403 # Forbidden
+    condition: selection
+falsepositives:
+    - A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.
+level: low

tests/logsource.json

@@ -376,6 +376,14 @@
                 "onelogin.events":[]
             }
         },
+        "kubernetes":{
+            "common": [],
+            "empty": [],
+            "category":{},
+            "service":{
+                "audit.k8s.io/v1":[]
+            }
+        },
         "huawei":{
             "common": [],
             "empty": [],
@@ -445,4 +453,4 @@
             "service":{}
         }
     }
-}
+}