Kubernetes principal attempted to enumerate their permissions
Set up the kubernetes integration.
Goal
Identify when a user is attempting to enumerate their permissions.
Strategy
This rule identifies when a user attempts to enumerate their permissions, for example, through the use of kubectl auth can-i --list. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.
Triage and response
- Determine if enumerating the permissions of the user:
{{@usr.id}} is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity. - Use the Cloud SIEM
User Investigation dashboard to review any user actions that may have occurred after the potentially malicious action.
Changelog
- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
