From 92242877f863a1bd40e597c9f7027cd92ce92d6d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Wed, 18 Jun 2025 10:26:36 +0200 Subject: [PATCH 1/2] [Rule Tuning] Sharpening Kubernetes Rules Indices --- .../kubernetes/discovery_denied_service_account_request.toml | 4 ++-- .../kubernetes/discovery_suspicious_self_subject_review.toml | 4 ++-- rules/integrations/kubernetes/execution_user_exec_to_pod.toml | 4 ++-- .../initial_access_anonymous_request_authorized.toml | 4 ++-- ...ersistence_exposed_service_created_with_type_nodeport.toml | 4 ++-- ...n_container_created_with_excessive_linux_capabilities.toml | 4 ++-- .../privilege_escalation_pod_created_with_hostipc.toml | 4 ++-- .../privilege_escalation_pod_created_with_hostnetwork.toml | 4 ++-- .../privilege_escalation_pod_created_with_hostpid.toml | 4 ++-- ...escalation_pod_created_with_sensitive_hostpath_volume.toml | 4 ++-- .../privilege_escalation_privileged_pod_created.toml | 4 ++-- ...n_suspicious_assignment_of_controller_service_account.toml | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index 28ffde48823..6492e4eb025 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ problem within the cluster. This behavior should be investigated further. """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Denied Service Account Request" diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index cc14c799347..cd71cd15431 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,7 +2,7 @@ creation_date = "2022/06/30" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ privileges of another token other than that of the compromised account. """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Suspicious Self-Subject Review" diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index d8045247c12..ee3cd8a8bc6 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,7 +2,7 @@ creation_date = "2022/05/17" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/06/17" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ connected to the terminal: kubectl exec -i -t cassandra -- sh """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "eql" license = "Elastic License v2" name = "Kubernetes User Exec into Pod" diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index d18b385f201..26d621338b3 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ investigated. """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Anonymous Request Authorized" diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 1324eebe7b8..229f671329b 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ false_positives = [ expose one or more node's IPs directly. """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Exposed Service Created With Type NodePort" diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index 8f1510caf35..bc56b9ab03d 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/20" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ kubernetes.audit.requestObject.spec.containers.image. """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Container Created with Excessive Linux Capabilities" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index 4479f2ed9f2..3573107f4de 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ "kubernetes.audit.requestObject.spec.container.image" """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Pod Created With HostIPC" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 2d497aa5632..597e5c6e08b 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ "kubernetes.audit.requestObject.spec.container.image" """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Pod Created With HostNetwork" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 059873838df..0c123fb4b43 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ "kubernetes.audit.requestObject.spec.container.image" """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Pod Created With HostPID" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index b3f977fc441..77a4d4698e8 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ "kubernetes.audit.requestObject.spec.container.image" """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Pod created with a Sensitive hostPath Volume" diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 51e114c4057..73d345fbfbc 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/05" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ trusted container images using the query field "kubernetes.audit.requestObject.spec.container.image" """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Privileged Pod Created" diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 56866f5108c..8f3b10592e8 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/13" integration = ["kubernetes"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/06/18" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ legitimate use-cases and should result in very few false positives. """, ] -index = ["logs-kubernetes.*"] +index = ["logs-kubernetes.audit_logs-*"] language = "kuery" license = "Elastic License v2" name = "Kubernetes Suspicious Assignment of Controller Service Account" From 119afe3e9ad696573347344283ef97b4164446f2 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud Date: Tue, 24 Jun 2025 13:34:19 +0200 Subject: [PATCH 2/2] ++ --- detection_rules/etc/non-ecs-schema.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index dfe2b4f5f85..d4a70c74cc3 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -96,7 +96,7 @@ "logs-windows.*": { "powershell.file.script_block_text": "text" }, - "logs-kubernetes.*": { + "logs-kubernetes.audit_logs-*": { "kubernetes.audit.objectRef.resource": "keyword", "kubernetes.audit.objectRef.subresource": "keyword", "kubernetes.audit.verb": "keyword",