[New Rules] GCP GKE Rule Conversions Part 3#6445
Open
imays11 wants to merge 1 commit into
Open
Conversation
## Summary Converts five Kubernetes Fleet privilege-abuse rules to GKE/GCP Fleet audit format (`logs-gcp.audit-*`, `service.name:"k8s.io"`). Validated on trade-lab and Zocalo cluster. --- **GKE Ephemeral Container Added to Pod** Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_kubernetes_ephemeral_container_added_to_pod.toml Detects update/patch of `pods/ephemeralcontainers` — a common post-compromise debug-shell technique. --- **GKE Exposed Service Created With Type NodePort** Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/persistence_kubernetes_exposed_service_created_with_type_nodeport.toml Detects create/update/patch of a Service with `spec.type: NodePort`. Key changes: Excludes `system:addon-manager` on `services.patch` only. (based on telemetry) --- **GKE Service Account Token Created via TokenRequest API** Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_service_account_token_created.toml Detects `serviceaccounts/token` create (`kubectl create token` / TokenRequest API). --- **GKE API Server Proxying Request to Kubelet** Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_kubernetes_proxy_to_node.toml Detects API-server proxy to the node kubelet (`nodes/proxy`). --- **GKE API Request Impersonating Privileged Identity** Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_kubernetes_api_request_impersonating_privileged_identity.toml Detects successful API calls impersonating privileged identities (`system:admin`, controller-manager, kube-system SAs, nodes, etc.). Key changes: GKE maps impersonation to `gcp.audit.authentication_info.authority_selector` (not `impersonatedUser`). No verb filter. `--as-group` (e.g. `system:masters`) is not exposed as a structured field in Cloud Audit Logs.
Contributor
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Summary
Converts five Kubernetes Fleet privilege-abuse rules to GKE/GCP Fleet audit format (
logs-gcp.audit-*,service.name:"k8s.io"). Validated on trade-lab and Zocalo cluster.GKE Ephemeral Container Added to Pod
Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_kubernetes_ephemeral_container_added_to_pod.toml
Detects update/patch of
pods/ephemeralcontainers— a common post-compromise debug-shell technique.GKE Exposed Service Created With Type NodePort Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/persistence_kubernetes_exposed_service_created_with_type_nodeport.toml
Detects create/update/patch of a Service with
spec.type: NodePort.Key changes: Excludes
system:addon-manageronservices.patchonly. (based on telemetry)GKE Service Account Token Created via TokenRequest API Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_service_account_token_created.toml
Detects
serviceaccounts/tokencreate (kubectl create token/ TokenRequest API).GKE API Server Proxying Request to Kubelet
Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_kubernetes_proxy_to_node.toml
Detects API-server proxy to the node kubelet (
nodes/proxy).GKE API Request Impersonating Privileged Identity Original: https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/privilege_escalation_kubernetes_api_request_impersonating_privileged_identity.toml
Detects successful API calls impersonating privileged identities (
system:admin, controller-manager, kube-system SAs, nodes, etc.).Key changes: GKE maps impersonation to
gcp.audit.authentication_info.authority_selector(notimpersonatedUser). No verb filter.--as-group(e.g.system:masters) is not exposed as a structured field in Cloud Audit Logs.How To Test
Queries tested against Zocalo cluster, where no data found I emulated behavior to test in trade stack.