secrets being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.

Sample rules

Google Cloud Kubernetes Secrets Modified or Deleted

source: sigma
technicques:

Description

Identifies when the Secrets are Modified or Deleted.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - io.k8s.core.v*.secrets.create
  - io.k8s.core.v*.secrets.update
  - io.k8s.core.v*.secrets.patch
  - io.k8s.core.v*.secrets.delete

Azure Keyvault Secrets Modified or Deleted

source: sigma
technicques:
- t1552
- t1552.001

Description

Identifies when secrets are modified or deleted in Azure.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION

Kubernetes Secrets Modified or Deleted

source: sigma
technicques:

Description

Detects when Kubernetes Secrets are Modified or Deleted.

Detection logic

condition: selection
selection:
  objectRef.resource: secrets
  verb:
  - create
  - delete
  - patch
  - replace
  - update