From 4f1b7fa448eb2037a87d8f8a778413a37b425560 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Thu, 28 Jul 2022 12:49:45 -0400
Subject: [PATCH] Update execution_user_exec_to_pod.toml (#2092)

I'm removing the event.dataset query portion of the rule because this field has been removed from the current mapping so this rule is not triggering with the most updated K8s Integrations.
---
 .../integrations/kubernetes/execution_user_exec_to_pod.toml  | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml
index a14d41996..0f3258290 100644
--- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml
+++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml
@@ -4,7 +4,7 @@ integration = "kubernetes"
 maturity = "production"
 min_stack_comments = "Necessary audit log fields not available prior to 8.2"
 min_stack_version = "8.2"
-updated_date = "2022/06/09"
+updated_date = "2022/07/11"
 
 [rule]
 author = ["Elastic"]
@@ -43,8 +43,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:"kubernetes.audit_logs"
-  and kubernetes.audit.objectRef.resource:"pods"
+kubernetes.audit.objectRef.resource:"pods" 
   and kubernetes.audit.objectRef.subresource:"exec"
 '''