Kubernetes principal attempted to enumerate their permissions
Set up the kubernetes integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Identify when a user is attempting to enumerate their permissions.
Strategy
This rule identifies when a user attempts to enumerate their permissions, for example, through the use of kubectl auth can-i --list
. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.
Triage and response
- Determine if enumerating the permissions of the user:
{{@usr.id}}
is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity. - Use the Cloud SIEM
User Investigation
dashboard to review any user actions that may have occurred after the potentially malicious action.
Changelog
- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.