austinsonger
commented
3 years ago My first go around on it.
event.dataset:(googlecloud.audit or gcp.audit) and
event.action:event.action:io.k8s.core.v*.secrets.get and event.outcome:successOpen christophercutajar opened 3 years ago
austinsonger
commented
3 years ago My first go around on it.
event.dataset:(googlecloud.audit or gcp.audit) and
event.action:event.action:io.k8s.core.v*.secrets.get and event.outcome:success
christophercutajar
commented
3 years ago My first go around on it.
event.dataset:(googlecloud.audit or gcp.audit) and event.action:event.action:io.k8s.core.v*.secrets.get and event.outcome:success
Agree with this logic too! More generic than mine and reviewing once again the data, system* service accounts would not create any unnecessary noise. The only noise they will create would be during a deployment or upgrade which this is all legitimate activity. What I'm not sure about is how noisy it will be in an immutable infrastructure? What is your opinion in this?
botelastic[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
brokensound77
commented
3 years ago open PR in review
botelastic[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
christophercutajar
commented
2 years ago PR in review. @austinsonger let me know if you need any help!
botelastic[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
christophercutajar
commented
2 years ago PR still in review https://github.com/elastic/detection-rules/pull/1266
botelastic[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
christophercutajar
commented
2 years ago Still relevant
Description
Kubernetes is an attacking vector that current there is no detection rules for. During my initial analysis I was able to create a KQL queries that can detect the following activity:
The purpose of this rule is to detect a user enumerating kubernetes secrets
Required Info
Target indexes
filebeat-*withgcpmodule havingauditconfigured.Additional requirements
Target Operating Systems
Kubernetes
Platforms
Google Kubernetes Engine
Tested ECS Version
1.8.0
Optional Info
Query
In this query I'm excluding any enumeration done by
system*which could include the following:system:serviceaccount:elastic-system:elastic-operatorsystem:apiserversystem:serviceaccount:default:ingress-controller-ingress-nginx-admissionsystem:serviceaccount:kube-system:generic-garbage-collectorQuery
``` "query": { "bool": { "must": [], "filter": [ { "bool": { "must_not": { "bool": { "should": [ { "query_string": { "fields": [ "gcp.audit.authentication_info.principal_email" ], "query": "system*" } } ], "minimum_should_match": 1 } } } }, { "range": { "@timestamp": { "gte": "2021-05-04T13:29:16.495Z", "lte": "2021-05-05T13:29:16.495Z", "format": "strict_date_optional_time" } } }, { "match_phrase": { "event.module": "gcp" } }, { "match_phrase": { "gcp.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog" } }, { "match_phrase": { "gcp.audit.method_name": "io.k8s.core.v1.secrets.get" } } ], "should": [], "must_not": [ { "match_phrase": { "gcp.audit.status.message": "PERMISSION_DENIED" } } ] } } ```New fields required in ECS/data sources for this rule?
Related issues or PRs
Ready to create the necessary detection rule
tomlfilesReferences
https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
Example Data