From d2defca9a4e323bb05dff58080737158a47e7dde Mon Sep 17 00:00:00 2001
From: P4T12ICK <patrickbareiss1989@gmail.com>
Date: Wed, 21 Jun 2023 16:17:31 +0200
Subject: [PATCH] Delete Detection Kubernetes AWS detect RBAC authorization by
 account

---
 ...s_detect_rbac_authorization_by_account.yml | 40 -------------------
 1 file changed, 40 deletions(-)
 delete mode 100644 detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml

diff --git a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml b/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml
deleted file mode 100644
index 20202358d8..0000000000
--- a/detections/deprecated/kubernetes_aws_detect_rbac_authorization_by_account.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-name: Kubernetes AWS detect RBAC authorization by account
-id: de7264ed-3ed9-4fef-bb01-6eefc87cefe8
-version: 1
-date: '2020-06-23'
-author: Rod Soto, Splunk
-status: deprecated
-type: Hunting
-description: This search provides information on Kubernetes RBAC authorizations by
-  accounts, this search can be modified by adding top to see both extremes of RBAC
-  by accounts occurrences
-data_source: []
-search: '`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table
-  sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats
-  count by user.username annotations.authorization.k8s.io/reason | rare user.username
-  annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`'
-how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This
-  search works with cloudwatch logs
-known_false_positives: Not all RBAC Authorications are malicious. RBAC authorizations
-  can uncover malicious activity specially if sensitive Roles have been granted.
-references: []
-tags:
-  analytic_story:
-  - Kubernetes Sensitive Role Activity
-  asset_type: AWS EKS Kubernetes cluster
-  confidence: 50
-  impact: 50
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
-  product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
-  required_fields:
-  - _time
-  risk_score: 25
-  security_domain: threat