detection-rules
Loading

Kubernetes Creation or Modification of Sensitive Role

Detects the creation or modification of Kubernetes Roles or ClusterRoles that grant high-risk permissions, such as wildcard access or RBAC escalation verbs (e.g., bind, escalate, impersonate), which may enable privilege escalation or unauthorized access within the cluster.

Rule type: esql
Rule indices:

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: ``
Maximum alerts per execution: 100
References:

Tags:

  • Data Source: Kubernetes
  • Domain: Kubernetes
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Privilege Escalation

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
| WHERE
  kubernetes.audit.objectRef.resource in ("roles", "clusterroles") and
  kubernetes.audit.verb in ("create", "update", "patch") and
  `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and
  kubernetes.audit.level == "RequestResponse" and kubernetes.audit.stage == "ResponseComplete" and
  KQL("""kubernetes.audit.requestObject.rules.verbs:("*" or "escalate" or "bind" or "impersonate") or kubernetes.audit.requestObject.rules.resources:("clusterroles" or "clusterrolebindings" or "roles" or "rolebindings")""")
| KEEP
  @timestamp,
  data_stream.namespace,
  `kubernetes.audit.annotations.authorization_k8s_io/decision`,
  kubernetes.audit.level,
  kubernetes.audit.objectRef.name,
  kubernetes.audit.objectRef.resource,
  kubernetes.audit.requestURI,
  kubernetes.audit.responseStatus.code,
  kubernetes.audit.sourceIPs,
  kubernetes.audit.stage,
  kubernetes.audit.user.groups,
  kubernetes.audit.user.username,
  kubernetes.audit.userAgent,
  kubernetes.audit.verb,
  _id,
  _index,
  _version

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK