IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Kubernetes Denied Service Account Request Kubernetes User Exec into Pod »
Elastic Docs Elastic Security Solution [8.11] Downloadable rule update v8.4.2

Kubernetes Suspicious Self-Subject Review

edit

Kubernetes Suspicious Self-Subject Review

edit

This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.

Rule type: query

Rule indices:

  • logs-kubernetes.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Kubernetes
  • Continuous Monitoring
  • Discovery

Version: 201

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit











Rule query
edit








event.dataset : "kubernetes.audit_logs"
  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
  and kubernetes.audit.verb:"create"
  and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews")
  and (kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*)
  or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*))




Framework: MITRE ATT&CKTM
















« Kubernetes Denied Service Account Request


Kubernetes User Exec into Pod »