Detects assignment of high-privilege roles to user or service accounts via Kubernetes RoleBinding or ClusterRoleBinding objects, especially outside of CI/CD automation or from unknown IPs.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | kubernetes:audit | create or update events for RoleBinding or ClusterRoleBinding objects |
| Field | Description |
|---|---|
| UserAgent | Filter expected sources of automated role assignment (e.g., CI/CD tooling) |
| RoleName | Scope to privileged roles like cluster-admin, edit, admin |
| TimeWindow | Detect after-hours or irregular-time assignments |
| UserContext | Define known service accounts and privileged operators to reduce noise |