security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Kubernetes Anonymous Request Authorized (#2865)

Browse Source 
* rule tuning for exclusions

* optimized query

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Isai
2023-07-17 13:03:05 -04:00
committed by GitHub
parent 0b64638bf7
commit db90345fd5
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
+3 -2
View File
@@ -4,7 +4,8 @@ integration = ["kubernetes"]
maturity = "production"
min_stack_comments = "New fields added to Kubernetes Integration"
min_stack_version = "8.4.0"
updated_date = "2023/06/22"
updated_date = "2023/06/23"
[rule]
author = ["Elastic"]
@@ -41,7 +42,7 @@ query = '''
event.dataset:kubernetes.audit_logs
and kubernetes.audit.annotations.authorization_k8s_io/decision:allow
and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *)
and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz)
and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)
'''