detection-rules
Loading

Kubernetes Cluster-Admin Role Binding Created

This rule detects the creation of a RoleBinding or ClusterRoleBinding that grants the cluster-admin ClusterRole, which provides unrestricted access to all Kubernetes resources and represents a high-risk privilege escalation or misconfiguration.

Rule type: query
Rule indices:

  • logs-kubernetes.audit_logs-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: ``
Maximum alerts per execution: 100
References:

Tags:

  • Data Source: Kubernetes
  • Domain: Kubernetes
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Privilege Escalation

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

event.dataset: "kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:("clusterrolebindings" or "rolebindings") and
kubernetes.audit.verb:"create" and kubernetes.audit.requestObject.roleRef.name:"cluster-admin" and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
kubernetes.audit.level:"RequestResponse" and kubernetes.audit.stage:"ResponseComplete"

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK