rolebindings and clusterrolebinding being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

gcp
sigma

Techniques

Sample rules

Google Cloud Kubernetes RoleBinding

source: sigma
technicques:

Description

Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - io.k8s.authorization.rbac.v*.clusterrolebindings.create
  - io.k8s.authorization.rbac.v*.rolebindings.create
  - io.k8s.authorization.rbac.v*.clusterrolebindings.patch
  - io.k8s.authorization.rbac.v*.rolebindings.patch
  - io.k8s.authorization.rbac.v*.clusterrolebindings.update
  - io.k8s.authorization.rbac.v*.rolebindings.update
  - io.k8s.authorization.rbac.v*.clusterrolebindings.delete
  - io.k8s.authorization.rbac.v*.rolebindings.delete