From fa5fc6094edb30b650c833f71e93547a7de5046e Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 9 Jun 2022 17:52:45 -0400 Subject: [PATCH] [New Rule] Kubernetes execution_user_exec_to_pod (#1979) * Create execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml * Update non-ecs-schema.json * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * toml-linted file and add to false positive toml-linted the file and added to the false positive description * Create notepad.sct Added this back into the repo, deleted by mistake. * added min_stack_version based on integration min stack version determined by integration support of necessary fields Co-authored-by: Jonhnathan Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 63fda01fdd9d415c049fc4f386977923ec5c77a9) --- detection_rules/etc/non-ecs-schema.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 447f3634c..d6f47d23b 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -56,5 +56,9 @@ }, "logs-windows.*": { "powershell.file.script_block_text": "text" + }, + "logs-kubernetes.*": { + "kubernetes.audit.objectRef.resource": "keyword", + "kubernetes.audit.objectRef.subresource": "keyword" } }