LoFP / modifying a kubernetes rolebinding may need to be done by a system administrator.

Techniques

Sample rules

Kubernetes Rolebinding Modification

source: sigma
technicques:

Description

Detects when a Kubernetes Rolebinding is created or modified.

Detection logic

condition: selection
selection:
  objectRef.apiGroup: rbac.authorization.k8s.io
  objectRef.resource:
  - clusterrolebindings
  - rolebindings
  verb:
  - create
  - delete
  - patch
  - replace
  - update