Skip to content

[New Rule] Kubernetes Unusual Decision by User Agent #4829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2025/06/18"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2025/06/18"

[rule]
author = ["Elastic"]
description = """
This rule detects unusual request responses in Kubernetes audit logs through the use of the
"new_terms" rule type. In production environments, default API requests are typically made by
system components or trusted users, who are expected to have a consistent user agent and
allowed response annotations. By monitoring for anomalies in the username and response
annotations, this rule helps identify potential unauthorized access or misconfigurations
in the Kubernetes environment.
"""
index = ["logs-kubernetes.audit_logs-*"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we intentionally exclude from rule object?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a good question. I copy pasted the template from the other k8s rules. I just did a check in the kubernetes repository, and the from field is nowhere present.

{A42E56E7-528A-45B2-8F59-D746DEE66A99}

@imays11 do you happen to know why this is not set? Is this related to timestamps in the audit log file system?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value (if not specified) for it is now-6m afaik

language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Unusual Decision by User Agent"
risk_score = 21
rule_id = "8a1db198-da6f-4500-b985-7fe2457300af"
severity = "low"
tags = [
"Domain: Kubernetes",
"Domain: Container",
"Use Case: Threat Detection",
"Data Source: Kubernetes",
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
host.os.type:"linux" and event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[rule.new_terms]
field = "new_terms_fields"
value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-10d"
Loading