Skip to content

Commit b9c6517

Browse files
AegrahAegrah
authored
[New Rule] Forbidden Request from Unusual User Agent in Kubernetes (#4818)
* [New Rule] Forbidden Request from Unusual User Agent in Kubernetes * Update rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml
1 parent 0aefedd commit b9c6517

File tree

1 file changed

+42
-0
lines changed

1 file changed

+42
-0
lines changed

rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
[metadata]
2+
creation_date = "2025/06/17"
3+
integration = ["kubernetes"]
4+
maturity = "production"
5+
updated_date = "2025/06/17"
6+
7+
[rule]
8+
author = ["Elastic"]
9+
description = """
10+
This rule detects when a forbidden request is made from an unusual user agent in a Kubernetes environment.
11+
Adversary tooling may use non-standard or unexpected user agents to interact with the Kubernetes API, which
12+
can indicate an attempt to evade detection or blend in with legitimate traffic. In combination with a forbidden
13+
request, this behavior can suggest an adversary is attempting to exploit vulnerabilities or misconfigurations
14+
in the Kubernetes cluster.
15+
"""
16+
index = ["logs-kubernetes.audit_logs-*"]
17+
language = "eql"
18+
license = "Elastic License v2"
19+
name = "Forbidden Request from Unusual User Agent in Kubernetes"
20+
risk_score = 47
21+
rule_id = "4b77d382-b78e-4aae-85a0-8841b80e4fc4"
22+
severity = "medium"
23+
tags = ["Data Source: Kubernetes", "Tactic: Execution"]
24+
timestamp_override = "event.ingested"
25+
type = "eql"
26+
query = '''
27+
any where host.os.type == "linux" and event.dataset == "kubernetes.audit_logs" and
28+
kubernetes.audit.stage == "ResponseComplete" and `kubernetes.audit.annotations.authorization_k8s_io/decision` == "forbid" and
29+
not user_agent.original like~ (
30+
"/", "karpenter", "csi-secrets-store/*", "elastic-agent/*", "agentbeat/*", "insights-operator*", "oc/*", "cloud-defend/*",
31+
"OpenAPI-Generator/*", "local-storage-operator/*", "falcon-client/*", "nginx-ingress-controller/*", "config-translator/*",
32+
"kwatch/*", "PrometheusOperator/*", "kube*"
33+
)
34+
'''
35+
36+
[[rule.threat]]
37+
framework = "MITRE ATT&CK"
38+
39+
[rule.threat.tactic]
40+
id = "TA0002"
41+
name = "Execution"
42+
reference = "https://attack.mitre.org/tactics/TA0002/"

0 commit comments

Comments
 (0)