[BUG] test_all_rule_queries_optimized does not run on rules (#2823)
* Fixed kql -> kuery in test_all_rule_queries_opt... * all queries optimized * manually reconciled all rules that failed due to toml escaped chars * merge rules from main * Rules needing optimization * Fix optimized note * fix another note * another note fix * fixing whitespace * Updated for readability --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
This commit is contained in:
eric-forte-elastic
committed by
GitHub
GitHub
parent
d829b145ef
commit
aaa4ce2ea0
@@ -38,10 +38,10 @@ timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.dataset : "kubernetes.audit_logs"
|
||||
and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
|
||||
and (kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated") or not kubernetes.audit.user.username:*)
|
||||
and not kubernetes.audit.objectRef.resource:("healthz" or "livez" or "readyz")
|
||||
event.dataset:kubernetes.audit_logs
|
||||
and kubernetes.audit.annotations.authorization_k8s_io/decision:allow
|
||||
and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *)
|
||||
and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz)
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user