search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.89k stars 482 forks source link

[New Rule] Kubernetes ServiceAccount Creation #1189

Open christophercutajar opened 3 years ago

christophercutajar commented 3 years ago

Description

Kubernetes is an attacking vector that current there is no detection rules for. During my initial analysis I was able to create a KQL queries that can detect the following activity:

The purpose of this rule is to detect the creation of new service accounts within the Kubernetes Cluster

Required Info

Target indexes

filebeat-* with gcp module having audit configured.

Additional requirements

Target Operating Systems

Kubernetes

Platforms

Google Kubernetes Engine

Tested ECS Version

1.8.0

Optional Info

Query

In this query I'm excluding any new service account created by system*

Query ``` "query": { "bool": { "must": [], "filter": [ { "bool": { "filter": [ { "bool": { "should": [ { "match_phrase": { "gcp.audit.method_name": "io.k8s.core.v1.serviceaccounts.create" } } ], "minimum_should_match": 1 } }, { "bool": { "must_not": { "bool": { "should": [ { "query_string": { "fields": [ "gcp.audit.authentication_info.principal_email" ], "query": "system*" } } ], "minimum_should_match": 1 } } } } ] } }, { "range": { "@timestamp": { "gte": "2021-05-04T13:34:33.149Z", "lte": "2021-05-05T13:34:33.149Z", "format": "strict_date_optional_time" } } }, { "match_phrase": { "event.module": "gcp" } }, { "match_phrase": { "gcp.audit.type": "type.googleapis.com/google.cloud.audit.AuditLog" } }, { "match_phrase": { "log.logger": "projects/elastic-infosec/logs/cloudaudit.googleapis.com%2Factivity" } } ], "should": [], "must_not": [] } } ```

New fields required in ECS/data sources for this rule?

Related issues or PRs

Ready to create the necessary detection rule toml files

References

https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging

Example Data

austinsonger commented 3 years ago

My first go around on it.

event.dataset:(googlecloud.audit or gcp.audit) and 
event.action:io.k8s.core.v*.serviceaccounts.create and event.outcome:success
christophercutajar commented 3 years ago

My first go around on it.

event.dataset:(googlecloud.audit or gcp.audit) and 
event.action:event.action:io.k8s.core.v*.serviceaccounts.create and event.outcome:success

Yep totally agree with this @austinsonger, this is more generic than mine.

botelastic[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.