Skip to content

[New Rule] Kubernetes Unusual Decision by User Agent #4829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

[New Rule] Kubernetes Unusual Decision by User Agent #4829

wants to merge 6 commits into from

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Jun 19, 2025

Summary

This rule detects unusual request responses in Kubernetes audit logs through the use of the "new_terms" rule type. In production environments, default API requests are typically made by system components or trusted users, which are expected to have a consistent user agent and allowed response annotations. By monitoring for anomalies in the username and response annotations, this rule helps identify potential unauthorized access or misconfigurations in the Kubernetes environment.

Telemetry

User agents, usernames, and decisions are typically consistent in production environments, as all API requests should be allowed. This rule leverages the new_terms rule type to find requests that deviate from this pattern.

If this rule were to be noisy, I can exclude certain service account behavior + commonly hit API endpoints.

@Aegrah Aegrah self-assigned this Jun 19, 2025
@Aegrah Aegrah added OS: Linux Rule: New Proposal for new rule Integration: Kubernetes Kubernetes Integration container Team: TRADE and removed container labels Jun 19, 2025
@github-actions GitHub Actions
Copy link
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

terrancedejesus
terrancedejesus reviewed Jun 23, 2025
View reviewed changes
rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml
for anomalies in the username and response annotations, this rule helps identify
potential unauthorized access or misconfigurations in the Kubernetes environment.
"""
index = ["logs-kubernetes.audit_logs-*"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we intentionally exclude from rule object?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a good question. I copy pasted the template from the other k8s rules. I just did a check in the kubernetes repository, and the from field is nowhere present.

{A42E56E7-528A-45B2-8F59-D746DEE66A99}

@imays11 do you happen to know why this is not set? Is this related to timestamps in the audit log file system?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value (if not specified) for it is now-6m afaik

terrancedejesus
terrancedejesus reviewed Jun 23, 2025
View reviewed changes
rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml Outdated
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont know if it's applicable but may want to ensure user_agent is not "" instead as * will include these.

Copy link
Contributor Author

@Aegrah Aegrah Jun 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to filter out cases where the user_agent.original field does not exist, as this will break the logic based on the new_terms value; generally speaking, the user_agent.original is supplied; having an empty string there is (as far as I know based on my research) suspicious, as that is not common by default system behavior.

{26EB0D5A-4890-4664-B710-605196487707}

The empty user_agent.original example above is based on reconnaissance activity from a network scanner.

w0rk3r
w0rk3r reviewed Jun 25, 2025
View reviewed changes
rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml Outdated
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why we are filtering for the user_agent.original field and not "kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because these two fields are always present, I figured it does not require filtering, while the user agent string can be empty in certain cases.

@imays11
Copy link
Contributor

imays11 commented Jun 27, 2025

Do you have any logs we can view in the shared stack?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@w0rk3r w0rk3r w0rk3r left review comments

@imays11 imays11 imays11 left review comments

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

At least 2 approving reviews are required to merge this pull request.

Assignees

@Aegrah Aegrah

Labels
backport: auto Integration: Kubernetes Kubernetes Integration OS: Linux Rule: New Proposal for new rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Aegrah @imays11 @w0rk3r @terrancedejesus