rolebinding/clusterrolebinding modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

azure
sigma

Techniques

Sample rules

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted

source: sigma
technicques:

Description

Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE