LoFP LoFP / rolebindings and clusterrolebinding modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Google Cloud Kubernetes RoleBinding

Description

Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - io.k8s.authorization.rbac.v*.clusterrolebindings.create
  - io.k8s.authorization.rbac.v*.rolebindings.create
  - io.k8s.authorization.rbac.v*.clusterrolebindings.patch
  - io.k8s.authorization.rbac.v*.rolebindings.patch
  - io.k8s.authorization.rbac.v*.clusterrolebindings.update
  - io.k8s.authorization.rbac.v*.rolebindings.update
  - io.k8s.authorization.rbac.v*.clusterrolebindings.delete
  - io.k8s.authorization.rbac.v*.rolebindings.delete