Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/security_detection_engine/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# newer versions go on top
# NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production
- version: 8.19.27-beta.1
changes:
- description: Release security rules update
type: enhancement
link: https://github.com/elastic/integrations/pull/20006
- version: 8.19.26
changes:
- description: Release security rules update
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "Detects GKE pod create, update, or patch events that enable host network namespace sharing. HostNetwork grants access to the node network stack and can bypass namespace network policies. System identities and controller-owned workloads are excluded.",
"false_positives": [
"Monitoring agents and CNI components may require hostNetwork. Exclude known platform identities after review."
],
"index": [
"logs-gcp.audit-*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "GKE Pod Created With HostNetwork",
"note": "## Triage and analysis\n\n### Investigating GKE Pod Created With HostNetwork\n\nHostNetwork pods can observe or interact with node-local services. Validate the actor and workload purpose.\n\n### Investigation steps\n\n- Review `user.email`, pod name, namespace, and container images in `gcp.audit.request`.\n- Hunt for secret access or exec from the same identity after the change.\n\n### False positives\n\n- Platform DaemonSets often use hostNetwork; controller ownerReferences exclusion reduces noise.",
"query": "data_stream.dataset:gcp.audit and\nevent.action:(\"io.k8s.core.v1.pods.create\" or \"io.k8s.core.v1.pods.update\" or \"io.k8s.core.v1.pods.patch\") and\ngcp.audit.request.spec.hostNetwork:true and\nnot gcp.audit.request.metadata.ownerReferences.kind:(\"ReplicaSet\" or \"DaemonSet\" or \"StatefulSet\") and\nnot user.email:system\\:*\n",
"references": [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/",
"https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "^2.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "data_stream.dataset",
"type": "constant_keyword"
},
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": false,
"name": "gcp.audit.request.metadata.ownerReferences.kind",
"type": "unknown"
},
{
"ecs": false,
"name": "gcp.audit.request.spec.hostNetwork",
"type": "unknown"
},
{
"ecs": true,
"name": "user.email",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "0030f681-0142-4231-b728-49bb9fc12066",
"setup": "The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.",
"severity": "medium",
"tags": [
"Domain: Cloud",
"Domain: Kubernetes",
"Data Source: GCP",
"Data Source: Google Cloud Platform",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Execution",
"Resources: Investigation Guide"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0004",
"name": "Privilege Escalation",
"reference": "https://attack.mitre.org/tactics/TA0004/"
},
"technique": [
{
"id": "T1611",
"name": "Escape to Host",
"reference": "https://attack.mitre.org/techniques/T1611/"
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1610",
"name": "Deploy Container",
"reference": "https://attack.mitre.org/techniques/T1610/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
},
"id": "0030f681-0142-4231-b728-49bb9fc12066_1",
"type": "security-rule"
}

This file was deleted.

Loading
Loading