[Rule Tuning] Full Kubernetes Ruleset (#5659)

* [Rule Tuning] Full Kubernetes Ruleset * ++ * Update manifests & schemas * Update pyproject.toml * Added "kubernetes.audit.userAgent" to non_ecs * Updated kubernetes.audit.requestObject.spec.containers.image of type text to Keyword * Apply suggestion from @Aegrah * Apply suggestion from @Aegrah * Update privilege_escalation_pod_created_with_hostnetwork.toml * Apply suggestion from @Aegrah * Update privilege_escalation_pod_created_with_hostipc.toml * Apply suggestion from @Mikaayenson Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * ++ --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-02-04 10:42:41 +01:00
parent 7c03840737
commit c455d3d98a
14 changed files with 322 additions and 187 deletions
@@ -119,6 +119,7 @@
    "kubernetes.audit.impersonatedUser.username": "keyword",
    "kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
    "kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
+    "kubernetes.audit.userAgent": "keyword",
    "kubernetes.audit.user.extra.authentication.kubernetes.io/pod-name": "keyword",
    "kubernetes.audit.user.groups": "text",
    "kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",
@@ -137,7 +138,7 @@
    "kubernetes.audit.requestObject.spec.serviceAccountName": "keyword",
    "kubernetes.audit.responseStatus.reason": "keyword",
    "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword",
-    "kubernetes.audit.requestObject.spec.containers.image": "text"
+    "kubernetes.audit.requestObject.spec.containers.image": "keyword"
  },
  ".alerts-security.*": {
    "signal.rule.name": "keyword",
@@ -2,33 +2,33 @@
 creation_date = "2022/09/13"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/01/30"

 [rule]
 author = ["Elastic"]
 description = """
-This rule detects when a service account makes an unauthorized request for resources from the API server. Service
-accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to
-the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may
-have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate
-further movement or execution within the cluster.
+This rule detects when a service account makes an unauthorized request for resources from the API server via an unusual
+user agent. Service accounts follow a very predictable pattern of behavior. A service account should never send an
+unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the
+cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create
+resources to facilitate further movement or execution within the cluster.
 """
 false_positives = [
    """
-    Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious
-    problem within the cluster. This behavior should be investigated further.
+    Unauthorized requests from service accounts are normal and expected behavior. Analyze the user agent, pod and
+    other node information to determine if the request is legitimate.
    """,
 ]
 index = ["logs-kubernetes.audit_logs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Kubernetes Denied Service Account Request"
+name = "Kubernetes Denied Service Account Request via Unusual User Agent"
 note = """## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Kubernetes Denied Service Account Request
+### Investigating Kubernetes Denied Service Account Request via Unusual User Agent

 Kubernetes service accounts are integral for managing pod permissions and accessing the API server. They typically follow strict access patterns. Adversaries may exploit compromised service account credentials to probe or manipulate cluster resources, potentially leading to unauthorized access or lateral movement. The detection rule identifies anomalies by flagging unauthorized API requests from service accounts, signaling possible security breaches or misconfigurations.

@@ -66,30 +66,42 @@ references = [
    "https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections",
    "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens",
 ]
-risk_score = 47
+risk_score = 21
 rule_id = "63c056a0-339a-11ed-a261-0242ac120002"
-severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Discovery", "Resources: Investigation Guide"]
+severity = "low"
+tags = [
+  "Data Source: Kubernetes",
+  "Domain: Kubernetes",
+  "Use Case: Threat Detection",
+  "Tactic: Discovery",
+  "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
-type = "query"
-
+type = "new_terms"
 query = '''
-event.dataset: "kubernetes.audit_logs"
-  and kubernetes.audit.user.username: system\:serviceaccount\:*
-  and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid"
+event.dataset:"kubernetes.audit_logs" and
+kubernetes.audit.user.username:system\:serviceaccount\:* and
+kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and
+kubernetes.audit.userAgent:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*))
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1613"
 name = "Container and Resource Discovery"
 reference = "https://attack.mitre.org/techniques/T1613/"

-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["kubernetes.audit.userAgent"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
@@ -2,13 +2,13 @@
 creation_date = "2022/06/30"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/01/30"

 [rule]
 author = ["Elastic"]
 description = """
-This rule detects when a service account or node attempts to enumerate their own permissions via the
-selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like
+This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview
+or selfsubjectrulesreview APIs via an unusual user agent. This is highly unusual behavior for non-human identities like
 service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to
 determine what privileges they have to facilitate further movement or execution within the cluster.
 """
@@ -22,13 +22,13 @@ false_positives = [
 index = ["logs-kubernetes.audit_logs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Kubernetes Suspicious Self-Subject Review"
+name = "Kubernetes Suspicious Self-Subject Review via Unusual User Agent"
 note = """## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Kubernetes Suspicious Self-Subject Review
+### Investigating Kubernetes Suspicious Self-Subject Review via Unusual User Agent

 Kubernetes uses APIs like selfsubjectaccessreview and selfsubjectrulesreview to allow entities to check their own permissions. While useful for debugging, adversaries can exploit these APIs to assess their access level after compromising service accounts or nodes. The detection rule identifies unusual API calls by non-human identities, flagging potential unauthorized privilege enumeration attempts.

@@ -66,33 +66,45 @@ references = [
    "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access",
    "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340",
 ]
-risk_score = 47
+risk_score = 21
 rule_id = "12a2f15d-597e-4334-88ff-38a02cb1330b"
-severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Discovery", "Resources: Investigation Guide"]
+severity = "low"
+tags = [
+  "Data Source: Kubernetes",
+  "Domain: Kubernetes",
+  "Use Case: Threat Detection",
+  "Tactic: Discovery",
+  "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
-type = "query"
-
+type = "new_terms"
 query = '''
-event.dataset : "kubernetes.audit_logs"
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.verb:"create"
-  and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews")
-  and (kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*)
-  or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*))
+event.dataset : "kubernetes.audit_logs" and
+kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.verb:"create" and
+kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and (
+  kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or
+  kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)
+) and kubernetes.audit.userAgent:(* and not (*kubernetes/$Format))
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1613"
 name = "Container and Resource Discovery"
 reference = "https://attack.mitre.org/techniques/T1613/"

-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["kubernetes.audit.userAgent"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2026/01/30"

 [rule]
 author = ["Elastic"]
@@ -14,15 +14,15 @@ request, this behavior can suggest an adversary is attempting to exploit vulnera
 in the Kubernetes cluster.
 """
 index = ["logs-kubernetes.audit_logs-*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
-name = "Forbidden Request from Unusual User Agent in Kubernetes"
+name = "Kubernetes Forbidden Request from Unusual User Agent"
 note = """ ## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Forbidden Request from Unusual User Agent in Kubernetes
+### Investigating Kubernetes Forbidden Request from Unusual User Agent

 Kubernetes, a container orchestration platform, manages applications across clusters. It uses APIs for communication, which can be targeted by adversaries using atypical user agents to mask malicious activities. These agents may attempt unauthorized actions, exploiting vulnerabilities. The detection rule identifies such anomalies by flagging forbidden requests from non-standard user agents, indicating potential threats.

@@ -55,17 +55,20 @@ Kubernetes, a container orchestration platform, manages applications across clus
 risk_score = 47
 rule_id = "4b77d382-b78e-4aae-85a0-8841b80e4fc4"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Resources: Investigation Guide"]
+tags = [
+  "Data Source: Kubernetes",
+  "Domain: Kubernetes",
+  "Use Case: Threat Detection",
+  "Tactic: Execution",
+  "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "new_terms"
 query = '''
-any where event.dataset == "kubernetes.audit_logs" and
-kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" and
-not user_agent.original like~ (
-  "/", "karpenter", "csi-secrets-store/*", "elastic-agent/*", "agentbeat/*", "insights-operator*", "oc/*", "cloud-defend/*",
-  "OpenAPI-Generator/*", "local-storage-operator/*", "falcon-client/*", "nginx-ingress-controller/*", "config-translator/*",
-  "kwatch/*", "PrometheusOperator/*", "kube*"
-)
+event.dataset:"kubernetes.audit_logs" and
+kubernetes.audit.stage:"ResponseComplete" and
+kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and
+kubernetes.audit.userAgent:(* and not (*kubernetes/$Format))
 '''

 [[rule.threat]]
@@ -75,3 +78,11 @@ framework = "MITRE ATT&CK"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["kubernetes.audit.userAgent"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2025/06/18"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/01/19"
+updated_date = "2026/01/30"

 [rule]
 author = ["Elastic"]
@@ -57,17 +57,23 @@ risk_score = 21
 rule_id = "8a1db198-da6f-4500-b985-7fe2457300af"
 severity = "low"
 tags = [
+    "Data Source: Kubernetes",
    "Domain: Kubernetes",
    "Domain: Container",
    "Use Case: Threat Detection",
-    "Data Source: Kubernetes",
    "Tactic: Execution",
    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
-event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
+event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and
+kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) and
+not (
+  kubernetes.audit.userAgent:kubelet* and
+  not kubernetes.audit.objectRef.resource:(pods or nodes or csinodes or csidrivers or configmaps or secrets or events or leases or runtimeclasses) and
+  kubernetes.audit.verb:(get or list or watch or patch)
+)
 '''

 [[rule.threat]]
@@ -80,7 +86,7 @@ reference = "https://attack.mitre.org/tactics/TA0002/"

 [rule.new_terms]
 field = "new_terms_fields"
-value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"]
+value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "kubernetes.audit.userAgent"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
@@ -2,7 +2,7 @@
 creation_date = "2022/05/17"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2026/01/21"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -71,14 +71,38 @@ references = [
 risk_score = 47
 rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Resources: Investigation Guide"]
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-any where event.dataset == "kubernetes.audit_logs" and
-kubernetes.audit.verb in ("get", "create") and kubernetes.audit.objectRef.subresource == "exec" and
-kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow"
-and kubernetes.audit.level == "Request"
+any where event.dataset == "kubernetes.audit_logs" and kubernetes.audit.verb in ("get", "create") and
+kubernetes.audit.objectRef.subresource == "exec" and kubernetes.audit.stage in ("ResponseComplete", "ResponseStarted") and
+kubernetes.audit.level == "Request" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "allow" and
+not (
+  (kubernetes.audit.objectRef.namespace == "trident" and kubernetes.audit.objectRef.name like "trident-controller-*") or
+  (kubernetes.audit.objectRef.namespace == "vuls" and kubernetes.audit.requestURI like "/api/v1/namespaces/vuls/pods/vuls-*/exec?command=sh&command=-c&command=*+%2Fvuls%2Fresults*") or
+  (kubernetes.audit.objectRef.namespace == "git-runners" and kubernetes.audit.requestURI like (
+     "/api/v1/namespaces/git-runners/pods/runner-*/exec?command=sh&command=-c&command=if+%5B+-x+%2Fusr%2Flocal%2Fbin%2Fbash+%5D%3B+then%0A%09exec+%2Fusr%2Flocal%2Fbin%2Fbash+%0Aelif+%5B+-x+%2Fusr%2Fbin%2Fbash+%5D%3B+then%0A%09exec+%2Fusr%2Fbin%2Fbash+%0Aelif+%5B+-x+%2Fbin%2Fbash+%5D%3B+then%0A%09exec+%2Fbin%2Fbash+%0Aelif+%5B+-x+%2Fusr%2Flocal%2Fbin%2Fsh+%5D%3B+then%0A%09exec+%2Fusr%2Flocal%2Fbin%2Fsh+%0Aelif+%5B+-x+%2Fusr%2Fbin%2Fsh+%5D%3B+then%0A%09exec+%2Fusr%2Fbin%2Fsh+%0Aelif+%5B+-x+%2Fbin%2Fsh+%5D%3B+then%0A%09exec+%2Fbin%2Fsh+%0Aelif+%5B+-x+%2Fbusybox%2Fsh+%5D%3B+then%0A%09exec+%2Fbusybox%2Fsh+%0Aelse%0A%09echo+shell+not+found%0A%09exit+1%0Afi%0A%0A&container=*&container=*&stderr=true&stdin=true&stdout=true",
+     "/api/v1/namespaces/git-runners/pods/runner-*/exec?command=gitlab-runner-helper&command=read-logs&command=--path&command=%2Flogs-*%2Foutput.log&command=--offset&command=0&command=--wait-file-timeout&command=1m0s&container=*&container=*&stderr=true&stdout=true"
+  )) or
+  (kubernetes.audit.objectRef.namespace == "elasticsearch-cluster" and kubernetes.audit.requestURI like (
+    "/api/v1/namespaces/elasticsearch-cluster/pods/*/exec?command=df&command=-h&container=elasticsearch&stdin=true&stdout=true&tty=true",
+    "/api/v1/namespaces/elasticsearch-cluster/pods/*/exec?command=df&command=-h&container=elasticsearch&stderr=true&stdout=true",
+    "/api/v1/namespaces/elasticsearch-cluster/pods/*/exec?command=df&command=-h&container=kibana&stderr=true&stdout=true"
+  )) or
+  (kubernetes.audit.objectRef.namespace == "kube-system" and kubernetes.audit.requestURI like (
+    "/api/v1/namespaces/kube-system/pods/*/exec?command=%2Fproxy-agent&command=--help&container=konnectivity-agent&stderr=true&stdout=true",
+    "api/v1/namespaces/kube-system/pods/*/exec?command=cilium&command=endpoint&command=list&command=-o&command=json&container=cilium-agent&stderr=true&stdout=true",
+    "/api/v1/namespaces/kube-system/pods/*/exec?command=cilium&command=status&command=-o&command=json&container=cilium-agent&stderr=true&stdout=true",
+    "/api/v1/namespaces/kube-system/pods/*/exec?command=sh&command=-c&command=clear%3B+%28bash+%7C%7C+ash+%7C%7C+sh%29&container=*&stdin=true&stdout=true&tty=true"
+  ))
+)
 '''

 [[rule.threat]]
@@ -2,14 +2,15 @@
 creation_date = "2022/09/13"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
 description = """
-This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use
-anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster.
-This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.
+This rule detects when an unauthenticated user request is authorized within the cluster via an unusual user agent.
+Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of
+their activities within the cluster. This rule excludes the /healthz, /livez, /version and /.well-known/oauth-authorization-server
+endpoints which are commonly accessed anonymously.
 """
 false_positives = [
    """
@@ -21,13 +22,13 @@ false_positives = [
 index = ["logs-kubernetes.audit_logs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Kubernetes Anonymous Request Authorized"
+name = "Kubernetes Anonymous Request Authorized by Unusual User Agent"
 note = """## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Kubernetes Anonymous Request Authorized
+### Investigating Kubernetes Anonymous Request Authorized by Unusual User Agent

 Kubernetes, a container orchestration platform, manages workloads and services. It uses authentication to control access. Adversaries might exploit anonymous access to perform unauthorized actions without leaving traces. The detection rule identifies unauthorized access by monitoring audit logs for anonymous requests that are allowed, excluding common health check endpoints, to flag potential misuse.

@@ -66,33 +67,46 @@ references = [
 risk_score = 47
 rule_id = "63c057cc-339a-11ed-a261-0242ac120002"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
+tags = [
+  "Data Source: Kubernetes",
+  "Domain: Kubernetes",
+  "Use Case: Threat Detection",
+  "Tactic: Initial Access",
+  "Tactic: Defense Evasion",
+  "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
-type = "query"
-
+type = "new_terms"
 query = '''
-event.dataset:kubernetes.audit_logs
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:allow
-  and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *)
-  and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)
+event.dataset:"kubernetes.audit_logs" and
+kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *) and
+kubernetes.audit.userAgent:(* and not (*kubernetes/$Format)) and
+not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz* or /version or /.well-known/oauth-authorization-server)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1078.001"
 name = "Default Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/001/"

-
-
 [rule.threat.tactic]
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["kubernetes.audit.userAgent"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
@@ -2,7 +2,7 @@
 creation_date = "2022/09/20"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -56,42 +56,53 @@ references = [
 risk_score = 47
 rule_id = "7164081a-3930-11ed-a261-0242ac120002"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+tags = [
+  "Data Source: Kubernetes",
+  "Domain: Kubernetes",
+  "Use Case: Threat Detection",
+  "Tactic: Execution",
+  "Tactic: Privilege Escalation",
+  "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
-event.dataset: kubernetes.audit_logs
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.verb: create
-  and kubernetes.audit.objectRef.resource: pods
-  and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH"  or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO"  or "SYSLOG")
-  and not kubernetes.audit.requestObject.spec.containers.image : ("docker.elastic.co/beats/elastic-agent:8.4.0" or "rancher/klipper-lb:v0.3.5" or "")
+event.dataset: kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.verb: create and kubernetes.audit.objectRef.resource: pods and
+kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: ("BPF" or "DAC_READ_SEARCH"  or "NET_ADMIN" or "SYS_ADMIN" or "SYS_BOOT" or "SYS_MODULE" or "SYS_PTRACE" or "SYS_RAWIO"  or "SYSLOG") and
+not (
+  kubernetes.audit.requestObject.spec.containers.image : (docker.elastic.co/beats/elastic-agent* or rancher/klipper-lb* or "") or
+  kubernetes.audit.objectRef.namespace:"kube-system" or
+  (kubernetes.audit.objectRef.namespace:datadog and kubernetes.audit.requestObject.spec.containers.image:*datadog-agent*) or
+  (kubernetes.audit.objectRef.namespace:kubearmor and kubernetes.audit.requestObject.spec.containers.image:(*kubearmor\:kubearmor* or kubearmor/kubearmor-snitch*)) or
+  (kubernetes.audit.objectRef.namespace:defender and kubernetes.audit.requestObject.spec.containers.image:*fp-prisma\:defender-defender*) or
+  (kubernetes.audit.objectRef.namespace:metallb-system and kubernetes.audit.requestObject.spec.containers.image:(quay.io/frrouting* or quay.io/metallb/speaker*)) or
+  (kubernetes.audit.objectRef.namespace:longhorn-system and kubernetes.audit.requestObject.spec.containers.image:rancher/mirrored-longhornio*)
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1611"
 name = "Escape to Host"
 reference = "https://attack.mitre.org/techniques/T1611/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1610"
 name = "Deploy Container"
 reference = "https://attack.mitre.org/techniques/T1610/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2022/07/05"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -73,42 +73,47 @@ references = [
 risk_score = 47
 rule_id = "764c8437-a581-4537-8060-1fdb0e92c92d"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+tags = [
+  "Data Source: Kubernetes",
+  "Domain: Kubernetes",
+  "Use Case: Threat Detection",
+  "Tactic: Execution",
+  "Tactic: Privilege Escalation",
+  "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
-event.dataset : "kubernetes.audit_logs"
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.objectRef.resource:"pods"
-  and kubernetes.audit.verb:("create" or "update" or "patch")
-  and kubernetes.audit.requestObject.spec.hostIPC:true
-  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")
+event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and
+kubernetes.audit.requestObject.spec.hostIPC:true and
+not kubernetes.audit.requestObject.spec.containers.image: (
+  docker.elastic.co/beats/elastic-agent* or rancher/system-agent* or registry.crowdstrike.com/falcon-sensor*
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1611"
 name = "Escape to Host"
 reference = "https://attack.mitre.org/techniques/T1611/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1610"
 name = "Deploy Container"
 reference = "https://attack.mitre.org/techniques/T1610/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2022/07/05"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -70,42 +70,55 @@ references = [
 risk_score = 47
 rule_id = "12cbf709-69e8-4055-94f9-24314385c27e"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
-event.dataset : "kubernetes.audit_logs"
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.objectRef.resource:"pods"
-  and kubernetes.audit.verb:("create" or "update" or "patch")
-  and kubernetes.audit.requestObject.spec.hostNetwork:true
-  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")
+event.dataset:kubernetes.audit_logs and kubernetes.audit.annotations.authorization_k8s_io/decision:allow and
+kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:(create or patch or update) and
+kubernetes.audit.requestObject.spec.hostNetwork:true and
+not (
+  kubernetes.audit.requestObject.spec.containers.image:(
+    *eks/observability/aws-for-fluent-bit* or *eks/observability/cloudwatch-agent* or *elastic-agent* or *quay/tigera* or *tigera/operator* or
+    docker.io/bitnami/node-exporter* or docker.io/rancher/mirrored-calico-operator* or quay.io/calico/node* or quay.io/cephcsi/cephcsi* or
+    quay.io/frrouting/frr* or quay.io/metallb/speaker* or quay.io/prometheus/node-exporter* or rancher/system-agent* or
+    registry.crowdstrike.com/falcon-sensor* or registry.k8s.io/sig-storage/csi-node-driver-registrar*
+  ) or
+  kubernetes.audit.objectRef.namespace:(
+    calico or calico-system or cilium or elastic or ingress-nginx or kube-system or noname-security-posture or openebs or sysdig-agent
+  )
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1611"
 name = "Escape to Host"
 reference = "https://attack.mitre.org/techniques/T1611/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1610"
 name = "Deploy Container"
 reference = "https://attack.mitre.org/techniques/T1610/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2022/07/05"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -73,42 +73,50 @@ references = [
 risk_score = 47
 rule_id = "df7fda76-c92b-4943-bc68-04460a5ea5ba"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
-event.dataset : "kubernetes.audit_logs"
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.objectRef.resource:"pods"
-  and kubernetes.audit.verb:("create" or "update" or "patch")
-  and kubernetes.audit.requestObject.spec.hostPID:true
-  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")
+event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and
+kubernetes.audit.requestObject.spec.hostPID:true and
+not kubernetes.audit.requestObject.spec.containers.image: (
+  ghcr.io/aquasecurity/node-collector* or rancher/system-agent* or ghcr.io/kubereboot/kured* or 
+  *elastic/elastic-agent* or registry.k8s.io/sig-storage/csi-node-driver-registrar* or quay.io/prometheus/node-exporter* or
+  docker.elastic.co/beats/elastic-agent* or quay.io/cephcsi/cephcsi* or registry.crowdstrike.com/falcon-sensor* or */sysdig/* or
+  rancher/mirrored-longhornio-longhorn-manager* or gcr.io/datadoghq/agent* or mcr.microsoft.com/oss/*/kubernetes-csi*
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1611"
 name = "Escape to Host"
 reference = "https://attack.mitre.org/techniques/T1611/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1610"
 name = "Deploy Container"
 reference = "https://attack.mitre.org/techniques/T1610/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2022/07/11"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -25,13 +25,13 @@ false_positives = [
 index = ["logs-kubernetes.audit_logs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Kubernetes Pod created with a Sensitive hostPath Volume"
+name = "Kubernetes Pod Created with a Sensitive hostPath Volume"
 note = """## Triage and analysis

 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

-### Investigating Kubernetes Pod created with a Sensitive hostPath Volume
+### Investigating Kubernetes Pod Created with a Sensitive hostPath Volume

 Kubernetes allows containers to access host filesystems via hostPath volumes, which can be crucial for certain applications. However, if a container is compromised, adversaries can exploit these mounts to access sensitive host data or escalate privileges. The detection rule identifies when pods are created or modified with hostPath volumes pointing to critical directories, signaling potential misuse or security risks.

@@ -72,58 +72,59 @@ references = [
 risk_score = 47
 rule_id = "2abda169-416b-4bb3-9a6b-f8d239fd78ba"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
-event.dataset : "kubernetes.audit_logs"
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.objectRef.resource:"pods"
-  and kubernetes.audit.verb:("create" or "update" or "patch")
-  and kubernetes.audit.requestObject.spec.volumes.hostPath.path:
-  ("/" or
-  "/proc" or
-  "/root" or
-  "/var" or
-  "/var/run" or
-  "/var/run/docker.sock" or
-  "/var/run/crio/crio.sock" or
-  "/var/run/cri-dockerd.sock" or
-  "/var/lib/kubelet" or
-  "/var/lib/kubelet/pki" or
-  "/var/lib/docker/overlay2" or
-  "/etc" or
-  "/etc/kubernetes" or
-  "/etc/kubernetes/manifests" or
-  "/etc/kubernetes/pki" or
-  "/home/admin")
-  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")
+event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.verb:("create" or "update" or "patch") and
+kubernetes.audit.requestObject.spec.volumes.hostPath.path: (
+  "/" or "/proc" or "/root" or "/var" or "/var/run" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or
+  "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or
+  "/etc" or "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/etc/kubernetes/pki" or "/home/admin"
+) and
+not kubernetes.audit.requestObject.spec.containers.image: (
+  docker.elastic.co/beats/elastic-agent* or *elastic/elastic-agent* or docker.elastic.co/elastic-agent/elastic-agent* or
+  *elastic-agent\:dev* or *cloudops-azure-devops-agent* or rancher/mirrored-longhornio-longhorn-instance-manager* or
+  quay.io/calico* or ghcr.io/aquasecurity* or rancher/system-agent* or rancher/mirrored-longhornio-csi-node-driver-registrar* or
+  rancher/mirrored-longhornio-livenessprobe* or quay.io/prometheus/node-exporter* or *eks/observability/cloudwatch-agent* or
+  amazon/aws-efs-csi-driver* or public.ecr.aws/eks-distro/kubernetes-csi* or quay.io/cilium/cilium* or openebs/node-disk-manager* or
+  openebs/cstor-csi-driver* or registry.k8s.io/sig-storage/csi-node-driver-registrar* or *.amazonaws.com/eks/csi-node-driver-registrar* or
+  *.amazonaws.com/eks/livenessprobe* or *.amazonaws.com/eks/aws-efs-csi-driver* or mcr.microsoft.com/oss/v2/kubernetes-csi* or
+  rancher/mirrored-cilium-cilium* or jenkins/inbound-agent* or gcr.io/datadoghq/agent* or rancher/mirrored-longhornio-longhorn-share-manager* or
+  */sysdig/*
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1611"
 name = "Escape to Host"
 reference = "https://attack.mitre.org/techniques/T1611/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1610"
 name = "Deploy Container"
 reference = "https://attack.mitre.org/techniques/T1610/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2022/07/05"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -70,42 +70,53 @@ references = [
 risk_score = 47
 rule_id = "c7908cac-337a-4f38-b50d-5eeb78bdb531"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
-event.dataset : "kubernetes.audit_logs"
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.objectRef.resource:pods
-  and kubernetes.audit.verb:create
-  and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true
-  and not kubernetes.audit.requestObject.spec.containers.image: ("docker.elastic.co/beats/elastic-agent:8.4.0")
+event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.objectRef.resource:pods and kubernetes.audit.verb:create and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true and
+not kubernetes.audit.requestObject.spec.containers.image: (
+  *amazonaws.com/betsie/pipeline/pipeline-core* or mirror.gcr.io/aquasec/trivy* or rancher/mirrored-longhornio-longhorn-instance-manager* or quay.io/calico* or
+  rancher/system-agent* or openebs/m-exporter* or openebs/cstor-istgt* or ghcr.io/kubereboot/kured* or registry.k8s.io/sig-storage/csi-node-driver-registrar* or
+  registry.k8s.io/csi-secrets-store* or registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper* or sonarsource/sonar-scanner-cli* or
+  rancher/mirrored-longhornio-longhorn-engine* or jenkins/inbound-agent* or mcr.microsoft.com/oss/v2/kubernetes-csi* or registry.k8s.io/dns/k8s-dns-node-cache* or
+  *amazonaws.com/eks/kube-proxy* or *amazonaws.com/eks/aws-efs-csi-driver* or *amazonaws.com/eks/livenessprobe* or *amazonaws.com/amazon-k8s-cni* or
+  *amazonaws.com/amazon/aws-network-policy-agent* or mcr.microsoft.com/oss/kubernetes-csi* or openebs/node-disk-manager* or openebs/node-disk-exporter* or
+  mcr.microsoft.com/oss/kubernetes/kube-proxy* or public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe* or public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner* or
+  amazon/aws-efs-csi-driver* or registry.k8s.io/kube-proxy* or registry.crowdstrike.com/falcon-sensor* or *octopus-deploy/tentacle* or */sysdig/*
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1611"
 name = "Escape to Host"
 reference = "https://attack.mitre.org/techniques/T1611/"

-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1610"
 name = "Deploy Container"
 reference = "https://attack.mitre.org/techniques/T1610/"

-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-
@@ -2,7 +2,7 @@
 creation_date = "2022/09/13"
 integration = ["kubernetes"]
 maturity = "production"
-updated_date = "2025/06/18"
+updated_date = "2026/02/02"

 [rule]
 author = ["Elastic"]
@@ -69,35 +69,41 @@ references = [
 risk_score = 47
 rule_id = "63c05204-339a-11ed-a261-0242ac120002"
 severity = "medium"
-tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
-event.dataset : "kubernetes.audit_logs"
-  and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow"
-  and kubernetes.audit.verb : "create"
-  and kubernetes.audit.objectRef.resource : "pods"
-  and kubernetes.audit.objectRef.namespace : "kube-system"
-  and kubernetes.audit.requestObject.spec.serviceAccountName:*controller
+event.dataset : "kubernetes.audit_logs" and kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
+kubernetes.audit.verb : "create" and kubernetes.audit.objectRef.resource : "pods" and
+kubernetes.audit.objectRef.namespace : "kube-system" and kubernetes.audit.requestObject.spec.serviceAccountName:*controller and
+not kubernetes.audit.requestObject.spec.containers.image:(
+  mirror.gcr.io/aquasec/trivy* or *amazonaws.com/eks/snapshot-controller* or rancher/mirrored-sig-storage-snapshot-controller* or
+  public.ecr.aws/eks/aws-load-balancer-controller* or docker.io/bitnami/sealed-secrets-controller* or exoscale/csi-driver* or
+  registry.k8s.io/autoscaling/vpa-admission-controller* or registry.k8s.io/sig-storage/csi-attacher* or registry.k8s.io/sig-storage/csi-provisioner*
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1078.001"
 name = "Default Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/001/"

-
-
 [rule.threat.tactic]
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
-