Rules Contributing to Suspicious Azure Kubernetes Activity: Credential Access Alert

The following rules are used to identify suspicious Azure Kubernetes activity usually in the credential access stage. Any one or more of these will trigger the Suspicious Azure Kubernetes Activity: Credential Access Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Kubernetes Secret or Config Object Access

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

More details

Rule ID

azure_68

Query

{'selection': {'operationName': ['MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE', 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE']}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,7ee0b4aa-d8d4-4088-b661-20efdf41a04c

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

TA0006, T1552.001

References

Severity

Suppression Logic Based On

azure_activity_log.resourceId
azure_activity_log.operationName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/08/07	medium	Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.