From 60adba8f0c3f3b4527195a2f4e33bdc50e63b7cd Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Thu, 28 Jul 2022 13:09:26 -0400
Subject: [PATCH] [New Rule] Kubernetes Pod Created with Sensitive hostPath
 Volume (#2094)

* [New Rule] Kubernetes Pod Created with Sensitive hostPath Volume

created new rule toml and updated non-ecs-schema with k8s fields

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit c1486407aaf0cb299fcc928ebe9e6bdb261768cc)
---
 detection_rules/etc/non-ecs-schema.json | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 8ff48b7fd..d4c952913 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -61,6 +61,23 @@
   },
   "logs-kubernetes.*": {
     "kubernetes.audit.objectRef.resource": "keyword",
-    "kubernetes.audit.objectRef.subresource": "keyword"
+    "kubernetes.audit.objectRef.subresource": "keyword",
+    "kubernetes.audit.verb": "keyword",
+    "kubernetes.audit.user.username": "keyword",
+    "kubernetes.audit.impersonatedUser.username": "keyword",
+    "kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
+    "kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
+    "kubernetes.audit.user.groups": "text",
+    "kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean", 
+    "kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
+    "kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
+    "kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
+    "kubernetes.audit.requestObject.spec.hostPID": "boolean",
+    "kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
+    "kubernetes.audit.requestObject.spec.hostIPC": "boolean",
+    "kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
+    "kubernetes.audit.requestObject.spec.type": "keyword",
+    "kubernetes.audit.requestObject.rules.resources": "keyword",
+    "kubernetes.audit.requestObject.rules.verb": "keyword"
   }
 }