diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 24be0ab02..7e2e71654 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ query = ''' event.dataset:"kubernetes.audit_logs" and kubernetes.audit.user.username:system\:serviceaccount\:* and kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and -kubernetes.audit.userAgent:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*)) +user_agent.original:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*)) ''' [[rule.threat]] @@ -100,7 +100,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["kubernetes.audit.userAgent"] +value = ["user_agent.original"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml index cfae59094..a8929be63 100644 --- a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml +++ b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_anonymous_user.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -114,7 +114,7 @@ from logs-kubernetes.audit_logs-* metadata _id, _index, _version Esql.kubernetes_audit_requestURI_values = values(kubernetes.audit.requestURI), Esql.data_stream_namespace_values = values(data_stream.namespace) - BY kubernetes.audit.sourceIPs, kubernetes.audit.userAgent + BY kubernetes.audit.sourceIPs, user_agent.original | where Esql.kubernetes_audit_requestURI_count_distinct > 5 and @@ -122,7 +122,7 @@ from logs-kubernetes.audit_logs-* metadata _id, _index, _version Esql.document_count < 50 and (Esql.authz_forbid_count >= 1 or Esql.status_fail_count >= 1 or Esql.not_found_count >= 3) -| keep Esql.*, kubernetes.audit.sourceIPs, kubernetes.audit.userAgent +| keep Esql.*, kubernetes.audit.sourceIPs, user_agent.original ''' [[rule.threat]] diff --git a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_user_and_srcip.toml b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_user_and_srcip.toml index dacf870be..631b768c7 100644 --- a/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_user_and_srcip.toml +++ b/rules/integrations/kubernetes/discovery_endpoint_permission_enumeration_by_user_and_srcip.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/02" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ from logs-kubernetes.audit_logs-* metadata _id, _index, _version Esql.kubernetes_audit_user_username_values = values(kubernetes.audit.user.username), Esql.kubernetes_audit_user_groups_values = values(kubernetes.audit.user.groups), Esql.kubernetes_audit_requestURI_values = values(kubernetes.audit.requestURI), - Esql.kubernetes_audit_userAgent_values = values(kubernetes.audit.userAgent), + Esql.user_agent_original_values = values(user_agent.original), Esql.data_stream_namespace_values = values(data_stream.namespace) by kubernetes.audit.user.username, kubernetes.audit.sourceIPs diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index dd2055231..359940c58 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ kubernetes.audit.verb:"create" and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and ( kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*) -) and kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) +) and user_agent.original:(* and not (*kubernetes/$Format)) ''' [[rule.threat]] @@ -103,7 +103,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" -value = ["kubernetes.audit.userAgent"] +value = ["user_agent.original"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml index 4f8dcecdb..b6fa7170c 100644 --- a/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml +++ b/rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ query = ''' event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and -kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) +user_agent.original:(* and not (*kubernetes/$Format)) ''' [[rule.threat]] @@ -81,7 +81,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["kubernetes.audit.userAgent"] +value = ["user_agent.original"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml index 67d2e3ecd..1dcd69850 100644 --- a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml +++ b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2025/06/18" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/01/30" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -68,9 +68,9 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and -kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) and +user_agent.original:(* and not (*kubernetes/$Format)) and not ( - kubernetes.audit.userAgent:kubelet* and + user_agent.original:kubelet* and not kubernetes.audit.objectRef.resource:(pods or nodes or csinodes or csidrivers or configmaps or secrets or events or leases or runtimeclasses) and kubernetes.audit.verb:(get or list or watch or patch) ) @@ -86,7 +86,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" -value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "kubernetes.audit.userAgent"] +value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 40240eaec..a850dfd20 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/02" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ query = ''' event.dataset:"kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *) and -kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) and +user_agent.original:(* and not (*kubernetes/$Format)) and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz* or /version or /.well-known/oauth-authorization-server) ''' @@ -105,7 +105,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" -value = ["kubernetes.audit.userAgent"] +value = ["user_agent.original"] [[rule.new_terms.history_window_start]] field = "history_window_start" diff --git a/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml index 8ba2dcefe..0bb148e32 100644 --- a/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml +++ b/rules/integrations/kubernetes/persistence_sensitive_role_creation_or_modification.toml @@ -2,7 +2,7 @@ creation_date = "2026/02/04" integration = ["kubernetes"] maturity = "production" -updated_date = "2026/02/09" +updated_date = "2026/03/03" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ FROM logs-kubernetes.audit_logs-* metadata _id, _index, _version kubernetes.audit.stage, kubernetes.audit.user.groups, kubernetes.audit.user.username, - kubernetes.audit.userAgent, + user_agent.original, kubernetes.audit.verb, _id, _index,