Sigma Rules
10 rules found for "kelnage"
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Kubernetes CronJob/Job Modification
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
Kubernetes Unauthorized or Unauthenticated Access
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
Potential Okta Password in AlternateID Field
Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.