Sample rules
Kubernetes Secrets Modified or Deleted
- source: sigma
- technicques:
Description
Detects when Kubernetes Secrets are Modified or Deleted.
Detection logic
condition: selection
selection:
objectRef.resource: secrets
verb:
- create
- delete
- patch
- replace
- update
Azure Keyvault Secrets Modified or Deleted
- source: sigma
- technicques:
- t1552
- t1552.001
Description
Identifies when secrets are modified or deleted in Azure.
Detection logic
condition: selection
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
Google Cloud Kubernetes Secrets Modified or Deleted
- source: sigma
- technicques:
Description
Identifies when the Secrets are Modified or Deleted.
Detection logic
condition: selection
selection:
gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- io.k8s.core.v*.secrets.delete