LoFP LoFP / t1496

t1496

TitleTags
a dns lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those ips. b) verify if http, ssl, or tls activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
clusterroles/roles being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
clusterroles/roles modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
container registry being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
container registry created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
kubernetes cluster being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
legitimate crypto coin mining
legitimate use of crypto miners
network policy being modified and deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
network policy being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebinding/clusterrolebinding being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
rolebinding/clusterrolebinding modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
sensitive objects may be accessed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. sensitive objects accessed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
service account being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
service account modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
some build frameworks
unlikely