Sigma rule outputs from CloudSigma rendered into Elastic queries against the Kubernetes Audit schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.
| Technique | Rule | Severity | Log source |
|---|---|---|---|
| T1059 | Command and Scripting Interpreter on Kubernetes Audit | medium | Kubernetes Audit |
| T1078 | Valid Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1078.004 | Valid Accounts: Cloud Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1078.004 | Valid Accounts: Cloud Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1078.004 | Valid Accounts: Cloud Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1098 | Account Manipulation on Kubernetes Audit | medium | Kubernetes Audit |
| T1098.001 | Account Manipulation: Additional Cloud Credentials on Kubernetes Audit | medium | Kubernetes Audit |
| T1562.008 | Impair Defenses: Disable Cloud Logs on Kubernetes Audit | medium | Kubernetes Audit |
Kubernetes Audit Policy or Logging Configuration Tampering, generated by CloudSigma and validated against the Elastic dialect.
title: Kubernetes Audit Policy or Logging Configuration Tampering
id: d4e7f2a1-8b3c-4d5e-9f6a-1c2b3d4e5f68
status: test
description: >
Detects modification or deletion of Kubernetes audit-policy
ConfigMaps, audit webhook configurations, or logging-stack
workloads (fluent-bit, elasticsearch, vector) that may indicate
an adversary disabling or weakening audit logging to evade
detection. The system-component filter intentionally excludes
only the kube-controller-manager identity — earlier versions
also excluded system:masters and system:serviceaccount:kube-system,
which are precisely the identities a compromised kubeconfig or
pod-mounted token would assume.
references:
- https://attack.mitre.org/techniques/T1562/008/
- https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/
author: CloudSigma
date: 2026-04-24
tags:
- attack.defense-evasion
- attack.t1562.008
logsource:
product: kubernetes
service: audit
detection:
selection_audit_policy:
verb:
- update
- patch
- delete
objectRef.resource: configmaps
objectRef.name|contains:
- audit-policy
- audit-log
- kube-apiserver-audit
selection_webhook:
verb:
- delete
- update
- patch
objectRef.resource:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
objectRef.name|contains: audit
selection_logging_namespace:
verb:
- delete
- update
- patch
objectRef.resource:
- daemonsets
- deployments
- statefulsets
objectRef.namespace:
- logging
- monitoring
- kube-logging
- elastic-system
- fluentbit
- vector
filter_controller:
user.username: system:kube-controller-manager
condition: (selection_audit_policy or selection_webhook or selection_logging_namespace) and not filter_controller
falsepositives:
- Cluster operators applying audit-policy changes during a planned maintenance window from a documented jump host
- GitOps controllers (ArgoCD, Flux) reconciling logging-stack manifests after a chart upgrade
fields:
- user.username
- user.groups
- sourceIPs
- verb
- objectRef.resource
- objectRef.namespace
- objectRef.name
level: high