[New Rule] Kubernetes execution_user_exec_to_pod (#1979)

imays11 · github-actions[bot] · commit fa5fc6094edb · 2022-06-09T21:53:15.000Z
* Create execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml * Update non-ecs-schema.json * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * toml-linted file and add to false positive toml-linted the file and added to the false positive description * Create notepad.sct Added this back into the repo, deleted by mistake. * added min_stack_version based on integration min stack version determined by integration support of necessary fields Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 63fda01)
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -56,5 +56,9 @@
   },
   "logs-windows.*": {
     "powershell.file.script_block_text": "text"
+  },
+  "logs-kubernetes.*": {
+    "kubernetes.audit.objectRef.resource": "keyword",
+    "kubernetes.audit.objectRef.subresource": "keyword"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -56,5 +56,9 @@`
`56`	`56`	`},`
`57`	`57`	`"logs-windows.*": {`
`58`	`58`	`"powershell.file.script_block_text": "text"`
	`59`	`+ },`
	`60`	`+ "logs-kubernetes.*": {`
	`61`	`+ "kubernetes.audit.objectRef.resource": "keyword",`
	`62`	`+ "kubernetes.audit.objectRef.subresource": "keyword"`
`59`	`63`	`}`
`60`	`64`	`}`