[New Rule] Kubernetes Unusual Decision by User Agent (#4829)

Aegrah · tradebot-elastic · commit 86111a3c981d · 2025-07-18T07:47:37.000Z
* [New Rule] Kubernetes Unusual Request Response by User Agent * ++ * Update execution_unusual_request_response_by_user_agent.toml * Update rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml * Update execution_unusual_request_response_by_user_agent.toml * Update rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml (cherry picked from commit 9f46d5b)
diff --git a/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml b/rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml
@@ -0,0 +1,51 @@
+[metadata]
+creation_date = "2025/06/18"
+integration = ["kubernetes"]
+maturity = "production"
+updated_date = "2025/06/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects unusual request responses in Kubernetes audit logs through the use of the
+"new_terms" rule type. In production environments, default API requests are typically made by
+system components or trusted users, who are expected to have a consistent user agent and
+allowed response annotations. By monitoring for anomalies in the username and response
+annotations, this rule helps identify potential unauthorized access or misconfigurations
+in the Kubernetes environment.
+"""
+index = ["logs-kubernetes.audit_logs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Unusual Decision by User Agent"
+risk_score = 21
+rule_id = "8a1db198-da6f-4500-b985-7fe2457300af"
+severity = "low"
+tags = [
+    "Domain: Kubernetes",
+    "Domain: Container",
+    "Use Case: Threat Detection",
+    "Data Source: Kubernetes",
+    "Tactic: Execution"
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+host.os.type:"linux" and event.dataset:"kubernetes.audit_logs" and kubernetes.audit.stage:"ResponseComplete" and user_agent.original:*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["kubernetes.audit.annotations.authorization_k8s_io/decision", "kubernetes.audit.user.username", "user_agent.original"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
