LoFP LoFP / secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Google Cloud Kubernetes Secrets Modified or Deleted

Description

Identifies when the Secrets are Modified or Deleted.

Detection logic

condition: selection
selection:
  gcp.audit.method_name:
  - io.k8s.core.v*.secrets.create
  - io.k8s.core.v*.secrets.update
  - io.k8s.core.v*.secrets.patch
  - io.k8s.core.v*.secrets.delete

Azure Keyvault Secrets Modified or Deleted

Description

Identifies when secrets are modified or deleted in Azure.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION