[Rule Tuning] kubernetes.audit.userAgent --> user_agent.original Conversion (#5808)

rules/integrations/kubernetes/discovery_denied_service_account_request.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/09/13"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/01/30"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ query = '''
 event.dataset:"kubernetes.audit_logs" and
 kubernetes.audit.user.username:system\:serviceaccount\:* and
 kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and
-kubernetes.audit.userAgent:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*))
+user_agent.original:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*))
 '''
 
 [[rule.threat]]
@@ -100,7 +100,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["kubernetes.audit.userAgent"]
+value = ["user_agent.original"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"

rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml

@@ -2,7 +2,7 @@
 creation_date = "2026/02/02"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/02/09"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -114,7 +114,7 @@ from logs-kubernetes.audit_logs-* metadata _id, _index, _version
     Esql.kubernetes_audit_requestURI_values = values(kubernetes.audit.requestURI),
     Esql.data_stream_namespace_values = values(data_stream.namespace)
 
-  BY kubernetes.audit.sourceIPs, kubernetes.audit.userAgent
+  BY kubernetes.audit.sourceIPs, user_agent.original
 
 | where
     Esql.kubernetes_audit_requestURI_count_distinct > 5 and
@@ -122,7 +122,7 @@ from logs-kubernetes.audit_logs-* metadata _id, _index, _version
     Esql.document_count < 50 and
     (Esql.authz_forbid_count >= 1 or Esql.status_fail_count >= 1 or Esql.not_found_count >= 3)
 
-| keep Esql.*, kubernetes.audit.sourceIPs, kubernetes.audit.userAgent
+| keep Esql.*, kubernetes.audit.sourceIPs, user_agent.original
 '''
 
 [[rule.threat]]

rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_user_and_srcip.toml

@@ -2,7 +2,7 @@
 creation_date = "2026/02/02"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/02/09"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -77,7 +77,7 @@ from logs-kubernetes.audit_logs-* metadata _id, _index, _version
   Esql.kubernetes_audit_user_username_values = values(kubernetes.audit.user.username),
   Esql.kubernetes_audit_user_groups_values = values(kubernetes.audit.user.groups),
   Esql.kubernetes_audit_requestURI_values = values(kubernetes.audit.requestURI),
-  Esql.kubernetes_audit_userAgent_values = values(kubernetes.audit.userAgent),
+  Esql.user_agent_original_values = values(user_agent.original),
   Esql.data_stream_namespace_values = values(data_stream.namespace)
   
   by kubernetes.audit.user.username, kubernetes.audit.sourceIPs

rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/06/30"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/01/30"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ kubernetes.audit.verb:"create" and
 kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and (
   kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or
   kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)
-) and kubernetes.audit.userAgent:(* and not (*kubernetes/$Format))
+) and user_agent.original:(* and not (*kubernetes/$Format))
 '''
 
 [[rule.threat]]
@@ -103,7 +103,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["kubernetes.audit.userAgent"]
+value = ["user_agent.original"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"

rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/01/30"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,7 @@ query = '''
 event.dataset:"kubernetes.audit_logs" and
 kubernetes.audit.stage:"ResponseComplete" and
 kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and
-kubernetes.audit.userAgent:(* and not (*kubernetes/$Format))
+user_agent.original:(* and not (*kubernetes/$Format))
 '''
 
 [[rule.threat]]
@@ -81,7 +81,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["kubernetes.audit.userAgent"]
+value = ["user_agent.original"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"

rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/06/18"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/01/30"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -68,9 +68,9 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
 event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and
-kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) and
+user_agent.original:(* and not (*kubernetes/$Format)) and
 not (
-  kubernetes.audit.userAgent:kubelet* and
+  user_agent.original:kubelet* and
   not kubernetes.audit.objectRef.resource:(pods or nodes or csinodes or csidrivers or configmaps or secrets or events or leases or runtimeclasses) and
   kubernetes.audit.verb:(get or list or watch or patch)
 )
@@ -86,7 +86,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "kubernetes.audit.userAgent"]
+value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"

rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/09/13"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/02/02"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -81,7 +81,7 @@ query = '''
 event.dataset:"kubernetes.audit_logs" and
 kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
 kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *) and
-kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) and
+user_agent.original:(* and not (*kubernetes/$Format)) and
 not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz* or /version or /.well-known/oauth-authorization-server)
 '''
 
@@ -105,7 +105,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["kubernetes.audit.userAgent"]
+value = ["user_agent.original"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"

rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2026/02/04"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/02/09"
+updated_date = "2026/03/03"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version
   kubernetes.audit.stage,
   kubernetes.audit.user.groups,
   kubernetes.audit.user.username,
-  kubernetes.audit.userAgent,
+  user_agent.original,
   kubernetes.audit.verb,
   _id,
   _index,