Rules Contributing to Suspicious Azure Kubernetes Activity: Credential Access Alert

The following rules are used to identify suspicious Azure Kubernetes activity usually in the credential access stage. Any one or more of these will trigger the Suspicious Azure Kubernetes Activity: Credential Access Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Kubernetes Secret or Config Object Access

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Rule ID

azure_68

Query

{'selection': {'operationName': ['MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,7ee0b4aa-d8d4-4088-b661-20efdf41a04c

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

CREDENTIAL_ACCESS, T1552.001

References

Severity

50

Suppression Logic Based On

  • azure_activity_log.resourceId
  • azure_activity_log.operationName
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2021/08/07 medium

  • Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.