LoFP LoFP / rolebindings and clusterrolebinding being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Techniques

Sample rules

Google Cloud Kubernetes RoleBinding

Description

Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - io.k8s.authorization.rbac.v*.clusterrolebindings.create
  - io.k8s.authorization.rbac.v*.rolebindings.create
  - io.k8s.authorization.rbac.v*.clusterrolebindings.patch
  - io.k8s.authorization.rbac.v*.rolebindings.patch
  - io.k8s.authorization.rbac.v*.clusterrolebindings.update
  - io.k8s.authorization.rbac.v*.rolebindings.update
  - io.k8s.authorization.rbac.v*.clusterrolebindings.delete
  - io.k8s.authorization.rbac.v*.rolebindings.delete