sensitive objects may be accessed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. sensitive objects accessed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

azure
sigma

Techniques

Sample rules

Azure Kubernetes Secret or Config Object Access

source: sigma
technicques:

Description

Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE