[New Rule] Interactive Exec Command Launched Against A Running Container (#2791)

* [New Rule] Interactive Exec Command Launched Against A Running Container

new rule toml

* Update execution_interactive_exec_to_container.toml

updated reference links

* Update execution_interactive_exec_to_container.toml

fixed the comments

* Update execution_interactive_exec_to_container.toml

* Update execution_interactive_exec_to_container.toml

removed process.session_leader.same_as_process

* Update execution_interactive_exec_to_container.toml

added time intervals

* Apply suggestions from code review

updated spacing

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml

@@ -0,0 +1,79 @@
+[metadata]
+creation_date = "2023/05/12"
+integration = ["cloud_defend"]
+maturity = "production"
+min_stack_comments = "New Integration: Cloud Defend"
+min_stack_version = "8.8.0"
+updated_date = "2023/05/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec'
+command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container.
+This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell.
+A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.
+"""
+false_positives = [
+    """
+    An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
+    Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
+    inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
+    ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
+    cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
+    connected to the terminal: kubectl exec -i -t cassandra -- sh
+    """,
+]
+from = "now-6m"
+index = ["logs-cloud_defend*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "Interactive Exec Command Launched Against A Running Container"
+references = [
+    "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
+    "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
+]
+risk_score = 73
+rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where container.id : "*" and event.type== "start" and 
+
+/* use of kubectl exec to enter a container */
+process.entry_leader.entry_meta.type : "container" and 
+
+/* process is the inital process run in a container */
+process.entry_leader.same_as_process== true and
+
+/* interactive process */
+process.interactive == true
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0002"
+  reference = "https://attack.mitre.org/tactics/TA0002/"
+  name = "Execution"
+
+  [[rule.threat.technique]]
+  id = "T1059"
+  reference = "https://attack.mitre.org/techniques/T1059/"
+  name = "Command and Scripting Interpreter"
+
+    [[rule.threat.technique.subtechnique]]
+    id = "T1059.004"
+    reference = "https://attack.mitre.org/techniques/T1059/004/"
+    name = "Unix Shell"
+  
+  [[rule.threat.technique]]
+  id = "T1609"
+  name = "Container Administration Command"
+  reference = "https://attack.mitre.org/techniques/T1609/"