From 990a8fd6d5dc0ffbb1aa1e062250f22bffaf2799 Mon Sep 17 00:00:00 2001
From: Furkan <furkan.turkal@trendyol.com>
Date: Sat, 19 Mar 2022 23:01:34 +0300
Subject: [PATCH] update(rules): k8s: secret get detection

Signed-off-by: Furkan <furkan.turkal@trendyol.com>
---
 rules/k8s_audit_rules.yaml | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index 4cb89be4..3a6e83dc 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -86,6 +86,9 @@
 - macro: response_successful
   condition: (ka.response.code startswith 2)
 
+- macro: kget
+  condition: ka.verb=get
+
 - macro: kcreate
   condition: ka.verb=create
 
@@ -567,13 +570,37 @@
   tags: [k8s]
 
 - rule: K8s Secret Deleted
-  desc: Detect any attempt to delete a secret Service account tokens are excluded.
+  desc: Detect any attempt to delete a secret. Service account tokens are excluded.
   condition: (kactivity and kdelete and secret and ka.target.namespace!=kube-system and non_system_user and response_successful)
   output: K8s Secret Deleted (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
   tags: [k8s]
 
+- rule: K8s Secret Get Successfully
+  desc: >
+    Detect any attempt to get a secret. Service account tokens are excluded.
+  condition: >
+    secret and kget
+    and kactivity
+    and response_successful
+  output: K8s Secret Get Successfully (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: ERROR
+  source: k8s_audit
+  tags: [k8s]
+
+- rule:  K8s Secret Get Unsuccessfully Tried
+  desc: >
+    Detect an unsuccessful attempt to get the secret. Service account tokens are excluded.
+  condition: >
+    secret and kget
+    and kactivity
+    and not response_successful
+  output: K8s Secret Get Unsuccessfully Tried (user=%ka.user.name secret=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
 # This rule generally matches all events, and as a result is disabled
 # by default. If you wish to enable these events, modify the
 # following macro.