
Summary
This rule detects privilege-escalation activity in Google Kubernetes Engine (GKE) by spotting updates to existing RBAC roles (Role or ClusterRole) that expand permissions to wildcard resources and verbs. It looks for patch or update operations on roles (RBAC) via GCP audit logs (dataset gcp.audit) and requires the log response body to capture the merged role rules after the change. Specifically, it flags events where gcp.audit.response.rules.verbs and gcp.audit.response.rules.resources are both wildcard ("*") and the event action corresponds to roles.update/roles.patch or clusterroles.update/clusterroles.patch. Loopback (non-external) source IPs are ignored to reduce noise. The alert emphasizes that such changes can resemble cluster-admin breadth and should be treated as a potential privilege escalation if not properly sanctioned. The rule maps to MITRE ATT&CK T1098 (Account Manipulation) with subtechnique T1098.006 (Additional Container Cluster Roles). A high risk score (73) and high severity are assigned, reflecting the potential impact of unintended access expansion. It includes triage guidance, false positives caveats, and remediation steps, including correlating with change records, reviewing bindings, and reverting unintended changes. This rule requires enabling GKE audit logs with response bodies (via the GCP Fleet integration) to function correctly. It also notes that legitimate administrators or GitOps processes may widen RBAC; such cases should be baselined and allowlisted when documented. The integration context suggests monitoring for subsequent sensitive actions (secret access, exec, further RBAC changes) from the same identity. Setup guidance reminds operators to enable the GCP Fleet integration and GKE audit logging for compatibility.Overall, this rule provides a focused, auditable mechanism to detect dangerous RBAC wildcard expansions in GKE clusters and to support rapid containment and remediation.
Categories
- Cloud
- Kubernetes
- Containers
Data Sources
- Cloud Service
ATT&CK Techniques
- T1098
- T1098.006
Created: 2026-07-07