security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Kubernetes Unusual Decision by User Agent (#4829)

Browse Source 
* [New Rule] Kubernetes Unusual Request Response by User Agent

* ++

* Update execution_unusual_request_response_by_user_agent.toml

* Update rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml

* Update execution_unusual_request_response_by_user_agent.toml

* Update rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml
This commit is contained in:
Ruben Groenewoud
2025-07-18 09:44:02 +02:00
committed by GitHub
parent 0f8c53e4d2
commit 9f46d5b496
1 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml
+51
View File
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2025/06/18"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2025/06/18"
[rule]
author = ["Elastic"]
description = """
This rule detects unusual request responses in Kubernetes audit logs through the use of the
"new_terms" rule type. In production environments, default API requests are typically made by
system components or trusted users, who are expected to have a consistent user agent and
allowed response annotations. By monitoring for anomalies in the username and response
annotations, this rule helps identify potential unauthorized access or misconfigurations
in the Kubernetes environment.
"""
index = ["logs-kubernetes.audit_logs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Unusual Decision by User Agent"
risk_score = 21
rule_id = "8a1db198-da6f-4500-b985-7fe2457300af"
severity = "low"
tags = [
"Domain: Kubernetes",
"Domain: Container",
"Use Case: Threat Detection",
"Data Source: Kubernetes",
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:"linux" and event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"