forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdiscovery_kubectl_workload_and_cluster_discovery.toml
More file actions
75 lines (70 loc) · 2.57 KB
/
Copy pathdiscovery_kubectl_workload_and_cluster_discovery.toml
File metadata and controls
75 lines (70 loc) · 2.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[metadata]
creation_date = "2025/06/19"
integration = ["endpoint", "auditd_manager", "crowdstrike", "cloud_defend"]
maturity = "production"
min_stack_comments = "Defend for Containers integration was re-introduced in 9.3.0"
min_stack_version = "9.3.0"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule detects the execution of kubectl commands that are commonly used for workload and cluster
discovery in Kubernetes environments. It looks for process events where kubectl is executed with
arguments that query cluster information, such as namespaces, nodes, pods, deployments, and other
resources. In environments where kubectl is not expected to be used, this could indicate potential
reconnaissance activity by an adversary.
"""
from = "now-119m"
index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-cloud_defend.process*"]
interval = "60m"
language = "eql"
license = "Elastic License v2"
name = "Kubectl Workload and Cluster Discovery"
risk_score = 21
rule_id = "74e5241e-c1a1-4e70-844e-84ee3d73eb7d"
severity = "low"
tags = [
"Domain: Container",
"Domain: Endpoint",
"Domain: Kubernetes",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Rule Type: BBR",
"Data Source: Elastic Defend",
"Data Source: Elastic Endgame",
"Data Source: Auditd Manager",
"Data Source: Crowdstrike",
"Data Source: Elastic Defend for Containers",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "executed", "process_started", "ProcessRollup2") and
process.name == "kubectl" and (
(process.args in ("cluster-info", "api-resources", "api-versions", "version")) or
(process.args in ("get", "describe") and process.args in (
"namespaces", "nodes", "pods", "pod", "deployments", "deployment",
"replicasets", "statefulsets", "daemonsets", "services", "service",
"ingress", "ingresses", "endpoints", "configmaps", "events", "svc",
"roles", "rolebindings", "clusterroles", "clusterrolebindings"
)
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1069"
name = "Permission Groups Discovery"
reference = "https://attack.mitre.org/techniques/T1069/"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"