From db90345fd5be54e40d0490e7b54d8921fd4e1264 Mon Sep 17 00:00:00 2001
From: Isai <59296946+imays11@users.noreply.github.com>
Date: Mon, 17 Jul 2023 13:03:05 -0400
Subject: [PATCH] [Rule Tuning] Kubernetes Anonymous Request Authorized (#2865)

* rule tuning for exclusions

* optimized query

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 .../initial_access_anonymous_request_authorized.toml         | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
index 13bdc463d..6da38310c 100644
--- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
+++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml
@@ -4,7 +4,8 @@ integration = ["kubernetes"]
 maturity = "production"
 min_stack_comments = "New fields added to Kubernetes Integration"
 min_stack_version = "8.4.0"
-updated_date = "2023/06/22"
+updated_date = "2023/06/23"
+
 
 [rule]
 author = ["Elastic"]
@@ -41,7 +42,7 @@ query = '''
 event.dataset:kubernetes.audit_logs
   and kubernetes.audit.annotations.authorization_k8s_io/decision:allow
   and kubernetes.audit.user.username:("system:anonymous" or "system:unauthenticated" or not *)
-  and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz)
+  and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)
 '''