[Rule Tuning] Removing host.os.type from K8s Rules (#5577)
This commit is contained in:
Ruben Groenewoud
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/06/27"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/07/07"
|
||||
updated_date = "2026/01/19"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -62,7 +62,7 @@ tags = [
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "delete" and
|
||||
any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "delete" and
|
||||
kubernetes.audit.objectRef.resource == "events" and kubernetes.audit.stage == "ResponseComplete"
|
||||
'''
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/06/24"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/07/07"
|
||||
updated_date = "2026/01/19"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -67,7 +67,7 @@ tags = [
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "create" and
|
||||
any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "create" and
|
||||
kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid"
|
||||
'''
|
||||
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/06/17"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/07/07"
|
||||
updated_date = "2026/01/19"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -59,7 +59,7 @@ tags = ["Data Source: Kubernetes", "Tactic: Execution", "Resources: Investigatio
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and
|
||||
any where event.dataset == "kubernetes.audit_logs" and
|
||||
kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" and
|
||||
not user_agent.original like~ (
|
||||
"/", "karpenter", "csi-secrets-store/*", "elastic-agent/*", "agentbeat/*", "insights-operator*", "oc/*", "cloud-defend/*",
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2025/06/18"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/07/21"
|
||||
updated_date = "2026/01/19"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -67,7 +67,7 @@ tags = [
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
query = '''
|
||||
host.os.type:"linux" and event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
|
||||
event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2022/05/17"
|
||||
integration = ["kubernetes"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/06/18"
|
||||
updated_date = "2026/01/19"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -75,7 +75,7 @@ tags = ["Data Source: Kubernetes", "Tactic: Execution", "Resources: Investigatio
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
query = '''
|
||||
any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and
|
||||
any where event.dataset == "kubernetes.audit_logs" and
|
||||
kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and
|
||||
kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow"
|
||||
'''
|
||||
|
||||
Reference in New Issue
Block a user