Detectionlowtest

New Kubernetes Service Account Created

Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Leo TsaousisCreated Tue Mar 26e31bae15-83ed-473e-bf31-faf4f8a17d36application

Log Source

Kubernetesapplicationaudit

ProductKubernetes← raw: kubernetes

Categoryapplication← raw: application

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        verb: 'create'
        objectRef.resource: 'serviceaccounts'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Related Rules

Azure Kubernetes Service Account Modified or Deleted

Identifies when a service account is modified or deleted.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

e31bae15-83ed-473e-bf31-faf4f8a17d36

Status

test

Level

low

Type

Detection

Created

Tue Mar 26

Author

Path

rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml

Raw Tags

attack.persistenceattack.t1136