diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 8ff48b7fd..d4c952913 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -61,6 +61,23 @@
   },
   "logs-kubernetes.*": {
     "kubernetes.audit.objectRef.resource": "keyword",
-    "kubernetes.audit.objectRef.subresource": "keyword"
+    "kubernetes.audit.objectRef.subresource": "keyword",
+    "kubernetes.audit.verb": "keyword",
+    "kubernetes.audit.user.username": "keyword",
+    "kubernetes.audit.impersonatedUser.username": "keyword",
+    "kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
+    "kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
+    "kubernetes.audit.user.groups": "text",
+    "kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean", 
+    "kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
+    "kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
+    "kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
+    "kubernetes.audit.requestObject.spec.hostPID": "boolean",
+    "kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
+    "kubernetes.audit.requestObject.spec.hostIPC": "boolean",
+    "kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
+    "kubernetes.audit.requestObject.spec.type": "keyword",
+    "kubernetes.audit.requestObject.rules.resources": "keyword",
+    "kubernetes.audit.requestObject.rules.verb": "keyword"
   }
 }