Last reviewed:
Sigma rule outputs from CloudSigma rendered into Elastic queries against the Kubernetes Audit schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.
| Technique | Rule | Severity | Log source |
|---|---|---|---|
| T1059 | Command and Scripting Interpreter on Kubernetes Audit | medium | Kubernetes Audit |
| T1078 | Valid Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1078.004 | Valid Accounts: Cloud Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1078.004 | Valid Accounts: Cloud Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1078.004 | Valid Accounts: Cloud Accounts on Kubernetes Audit | medium | Kubernetes Audit |
| T1098 | Account Manipulation on Kubernetes Audit | medium | Kubernetes Audit |
| T1098.001 | Account Manipulation: Additional Cloud Credentials on Kubernetes Audit | medium | Kubernetes Audit |
We are not embedding an example rule on this page yet. The rule corpus for this source is still being reviewed against a13e's public embed bar. CloudSigma can generate Sigma rules from CVE advisories, vulnerability disclosures and security research; generate a Elastic-targeted rule there, review it against your local telemetry, then deploy it in your SIEM.