[New Rule] Kubernetes execution_user_exec_to_pod (#1979)

* Create execution_user_exec_to_pod.toml

* Update execution_user_exec_to_pod.toml

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

* Update non-ecs-schema.json

* Update execution_user_exec_to_pod.toml

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Terrance DeJesus <[email protected]>

* Update execution_user_exec_to_pod.toml

* Update execution_user_exec_to_pod.toml

* Update execution_user_exec_to_pod.toml

* toml-linted file and add to false positive

toml-linted the file and added to the false positive description

* Create notepad.sct

Added this back into the repo, deleted by mistake.

* added min_stack_version based on integration

min stack version determined by integration support of necessary fields

Co-authored-by: Jonhnathan <[email protected]>
Co-authored-by: Terrance DeJesus <[email protected]>
Co-authored-by: Colson Wilhoit <[email protected]>

(cherry picked from commit 63fda01)

Author: imays11

detection_rules/etc/non-ecs-schema.json

@@ -56,5 +56,9 @@
   },
   "logs-windows.*": {
     "powershell.file.script_block_text": "text"
+  },
+  "logs-kubernetes.*": {
+    "kubernetes.audit.objectRef.resource": "keyword",
+    "kubernetes.audit.objectRef.subresource": "keyword"
   }
 }

rules/integrations/kubernetes/execution_user_exec_to_pod.toml

@@ -0,0 +1,64 @@
+[metadata]
+creation_date = "2022/05/17"
+integration = "kubernetes"
+maturity = "production"
+min_stack_comments = "Necessary audit log fields not available prior to 8.2"
+min_stack_version = "8.2"
+updated_date = "2022/06/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec'
+command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An
+adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has
+permissions to, including secrets.
+"""
+false_positives = [
+    """
+    An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from
+    Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands
+    inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ...
+    ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec
+    cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell
+    connected to the terminal: kubectl exec -i -t cassandra -- sh
+    """,
+]
+index = ["logs-kubernetes.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes User Exec into Pod"
+note = """## Config
+
+The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/",
+    "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/",
+]
+risk_score = 47
+rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce"
+severity = "medium"
+tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:"kubernetes.audit_logs" 
+  and kubernetes.audit.objectRef.resource:"pods" 
+  and kubernetes.audit.objectRef.subresource:"exec"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1609"
+name = "Container Administration Command"
+reference = "https://attack.mitre.org/techniques/T1609/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+