|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/06/19" |
| 3 | +integration = ["endpoint", "auditd_manager"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/06/19" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +building_block_type = "default" |
| 10 | +description = """ |
| 11 | +This rule detects the execution of kubectl commands that are commonly used for workload and cluster |
| 12 | +discovery in Kubernetes environments. It looks for process events where kubectl is executed with |
| 13 | +arguments that query cluster information, such as namespaces, nodes, pods, deployments, and other |
| 14 | +resources. In environments where kubectl is not expected to be used, this could indicate potential |
| 15 | +reconnaissance activity by an adversary. |
| 16 | +""" |
| 17 | +from = "now-119m" |
| 18 | +index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] |
| 19 | +interval = "60m" |
| 20 | +language = "eql" |
| 21 | +license = "Elastic License v2" |
| 22 | +name = "Kubectl Workload and Cluster Discovery" |
| 23 | +risk_score = 21 |
| 24 | +rule_id = "74e5241e-c1a1-4e70-844e-84ee3d73eb7d" |
| 25 | +severity = "low" |
| 26 | +tags = [ |
| 27 | + "Domain: Container", |
| 28 | + "Domain: Endpoint", |
| 29 | + "Domain: Kubernetes", |
| 30 | + "OS: Linux", |
| 31 | + "Use Case: Threat Detection", |
| 32 | + "Tactic: Discovery", |
| 33 | + "Rule Type: BBR", |
| 34 | + "Data Source: Elastic Defend", |
| 35 | + "Data Source: Elastic Endgame", |
| 36 | + "Data Source: Auditd Manager", |
| 37 | +] |
| 38 | +timestamp_override = "event.ingested" |
| 39 | +type = "eql" |
| 40 | +query = ''' |
| 41 | +process where host.os.type == "linux" and event.type == "start" and |
| 42 | +event.action in ("exec", "exec_event", "executed", "process_started") and |
| 43 | +process.name == "kubectl" and ( |
| 44 | + (process.args in ("cluster-info", "api-resources", "api-versions", "version")) or |
| 45 | + (process.args in ("get", "describe") and process.args in ( |
| 46 | + "namespaces", "nodes", "pods", "pod", "deployments", "deployment", |
| 47 | + "replicasets", "statefulsets", "daemonsets", "services", "service", |
| 48 | + "ingress", "ingresses", "endpoints", "configmaps", "events", "svc", |
| 49 | + "roles", "rolebindings", "clusterroles", "clusterrolebindings" |
| 50 | + ) |
| 51 | + ) |
| 52 | +) |
| 53 | +''' |
| 54 | + |
| 55 | +[[rule.threat]] |
| 56 | +framework = "MITRE ATT&CK" |
| 57 | + |
| 58 | +[[rule.threat.technique]] |
| 59 | +id = "T1613" |
| 60 | +name = "Container and Resource Discovery" |
| 61 | +reference = "https://attack.mitre.org/techniques/T1613/" |
| 62 | + |
| 63 | +[[rule.threat.technique]] |
| 64 | +id = "T1069" |
| 65 | +name = "Permission Groups Discovery" |
| 66 | +reference = "https://attack.mitre.org/techniques/T1069/" |
| 67 | + |
| 68 | +[rule.threat.tactic] |
| 69 | +id = "TA0007" |
| 70 | +name = "Discovery" |
| 71 | +reference = "https://attack.mitre.org/tactics/TA0007/" |
0 commit comments