Detectionmediumtest

Kubernetes Secrets Modified or Deleted

Detects when Kubernetes Secrets are Modified or Deleted.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

kelnageCreated Thu Jul 1158d31a75-a4f8-4c40-985b-373d58162ca2application

Log Source

Kubernetesaudit

ProductKubernetes← raw: kubernetes

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        objectRef.resource: 'secrets'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection

False Positives

Secrets being modified or deleted may be performed by a system administrator.

Automated processes may need to take these actions and may need to be filtered.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Related Rules

SimilarDetectionmedium

Google Cloud Kubernetes Secrets Modified or Deleted

Identifies when the Secrets are Modified or Deleted.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

58d31a75-a4f8-4c40-985b-373d58162ca2

Status

test

Level

medium

Type

Detection

Created

Thu Jul 11

Author

kelnage

Path

rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml

Raw Tags

attack.credential-access

View on GitHub