From 4408ea014bd26c28a12af7bc1e74163d2daaad5f Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 23 Jan 2026 10:41:20 +0100 Subject: [PATCH] [Rule Tuning] Removing `host.os.type` from K8s Rules (#5577) --- .../kubernetes/defense_evasion_events_deleted.toml | 4 ++-- .../kubernetes/execution_forbidden_creation_request.toml | 4 ++-- .../execution_forbidden_request_from_unsual_user_agent.toml | 4 ++-- .../execution_unusual_request_response_by_user_agent.toml | 4 ++-- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml index 2015d3088..106c1158e 100644 --- a/rules/integrations/kubernetes/defense_evasion_events_deleted.toml +++ b/rules/integrations/kubernetes/defense_evasion_events_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/27" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "delete" and +any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "delete" and kubernetes.audit.objectRef.resource == "events" and kubernetes.audit.stage == "ResponseComplete" ''' diff --git a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml index 5f520a2b6..19a1619b8 100644 --- a/rules/integrations/kubernetes/execution_forbidden_creation_request.toml +++ b/rules/integrations/kubernetes/execution_forbidden_creation_request.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/24" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "create" and +any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb == "create" and kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" ''' diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index 9e0fb2631..77d987565 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/07/07" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -59,7 +59,7 @@ tags = ["Data Source: Kubernetes", "Tactic: Execution", "Resources: Investigatio timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and +any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" and not user_agent.original like~ ( "/", "karpenter", "csi-secrets-store/*", "elastic-agent/*", "agentbeat/*", "insights-operator*", "oc/*", "cloud-defend/*", diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 9846fb5bc..0f66d9b3a 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/07/21" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ tags = [ timestamp_override = "event.ingested" type = "new_terms" query = ''' -host.os.type:"linux" and event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:* +event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:* ''' [[rule.threat]] diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index ee3cd8a8b..9a03b26e4 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/06/18" +updated_date = "2026/01/19" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ tags = ["Data Source: Kubernetes", "Tactic: Execution", "Resources: Investigatio timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and +any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" '''