From e666cabb3d671f31357b3bee8a022279f8cbd81f Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Tue, 24 Jun 2025 13:18:58 +0200
Subject: [PATCH] [Rule Tuning] Added Kubernetes Data Source Tag (#4831)

---
 ...ential_access_kubernetes_service_account_secret_access.toml | 3 ++-
 rules/linux/discovery_kubeconfig_file_discovery.toml           | 3 ++-
 rules/linux/discovery_kubectl_permission_discovery.toml        | 3 ++-
 rules/linux/lateral_movement_kubeconfig_file_activity.toml     | 3 ++-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml
index 28b395bef..0ac38fde1 100644
--- a/rules/linux/credential_access_kubernetes_service_account_secret_access.toml
+++ b/rules/linux/credential_access_kubernetes_service_account_secret_access.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/06/17"
+updated_date = "2025/06/19"
 
 [rule]
 author = ["Elastic"]
@@ -49,6 +49,7 @@ severity = "medium"
 tags = [
     "Domain: Endpoint",
     "Domain: Container",
+    "Domain: Kubernetes",
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",
diff --git a/rules/linux/discovery_kubeconfig_file_discovery.toml b/rules/linux/discovery_kubeconfig_file_discovery.toml
index 5ba0b9d2e..310507deb 100644
--- a/rules/linux/discovery_kubeconfig_file_discovery.toml
+++ b/rules/linux/discovery_kubeconfig_file_discovery.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/06/17"
+updated_date = "2025/06/19"
 
 [rule]
 author = ["Elastic"]
@@ -56,6 +56,7 @@ severity = "low"
 tags = [
     "Domain: Endpoint",
     "Domain: Container",
+    "Domain: Kubernetes",
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Discovery",
diff --git a/rules/linux/discovery_kubectl_permission_discovery.toml b/rules/linux/discovery_kubectl_permission_discovery.toml
index feefba4d9..c2a81330d 100644
--- a/rules/linux/discovery_kubectl_permission_discovery.toml
+++ b/rules/linux/discovery_kubectl_permission_discovery.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/06/17"
+updated_date = "2025/06/19"
 
 [rule]
 author = ["Elastic"]
@@ -52,6 +52,7 @@ severity = "low"
 tags = [
     "Domain: Endpoint",
     "Domain: Container",
+    "Domain: Kubernetes",
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Discovery",
diff --git a/rules/linux/lateral_movement_kubeconfig_file_activity.toml b/rules/linux/lateral_movement_kubeconfig_file_activity.toml
index cd4e298d7..94a98959e 100644
--- a/rules/linux/lateral_movement_kubeconfig_file_activity.toml
+++ b/rules/linux/lateral_movement_kubeconfig_file_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/06/17"
+updated_date = "2025/06/19"
 
 [rule]
 author = ["Elastic"]
@@ -53,6 +53,7 @@ severity = "medium"
 tags = [
     "Domain: Endpoint",
     "Domain: Container",
+    "Domain: Kubernetes",
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Lateral Movement",