security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update execution_user_exec_to_pod.toml (#2092)

Browse Source 
I'm removing the event.dataset query portion of the rule because this field has been removed from the current mapping so this rule is not triggering with the most updated K8s Integrations.
This commit is contained in:
Isai
2022-07-28 12:49:45 -04:00
committed by GitHub
parent 3a557503d1
commit 4f1b7fa448
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/kubernetes/execution_user_exec_to_pod.toml
+2 -3
View File
@@ -4,7 +4,7 @@ integration = "kubernetes"
maturity = "production"
min_stack_comments = "Necessary audit log fields not available prior to 8.2"
min_stack_version = "8.2"
updated_date = "2022/06/09"
updated_date = "2022/07/11"
[rule]
author = ["Elastic"]
@@ -43,8 +43,7 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:"kubernetes.audit_logs"
and kubernetes.audit.objectRef.resource:"pods"
kubernetes.audit.objectRef.resource:"pods"
and kubernetes.audit.objectRef.subresource:"exec"
'''