Skip to content

[New] GKE Kubernetes Rules#6357

Merged
Samirbous merged 14 commits into
mainfrom
k8_other_sources
Jul 6, 2026
Merged

[New] GKE Kubernetes Rules#6357
Samirbous merged 14 commits into
mainfrom
k8_other_sources

Conversation

@Samirbous

Copy link
Copy Markdown
Contributor

Convert some of our existing K8 rules https://github.com/elastic/detection-rules/tree/1e00f52d419d677ac52794e31ea1a63c97fd239b/rules/integrations/kubernetes to GCP K8 Audit logs. All queries validated against Zocalo dataset.

Convert some of our existing K8 rules https://github.com/elastic/detection-rules/tree/1e00f52d419d677ac52794e31ea1a63c97fd239b/rules/integrations/kubernetes to GCP K8 Audit logs. All queries validated against Zocalo dataset.
@Samirbous Samirbous self-assigned this Jun 30, 2026
Copilot AI review requested due to automatic review settings June 30, 2026 10:32
@Samirbous Samirbous added Rule: New Proposal for new rule Integration: GCP GCP related rules labels Jun 30, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new set of GKE-focused detection rules built on GCP Kubernetes audit logs (ported from existing Kubernetes audit rules), plus the necessary schema updates to support new non-ECS fields.

Changes:

  • Introduces multiple new GKE detection rules covering privilege escalation, persistence, discovery, execution, and credential access scenarios using logs-gcp.audit-*.
  • Adds an ES|QL aggregation rule to detect bursts of failed Kubernetes API requests.
  • Extends non-ecs-schema.json with GCP audit field mappings used by the new rules.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
rules/integrations/gcp/privilege_escalation_gcp_gke_sensitive_hostpath_volume.toml Detects pod specs mounting sensitive hostPath paths in GKE audit logs.
rules/integrations/gcp/privilege_escalation_gcp_gke_privileged_pod_created.toml Detects pods created with allowPrivilegeEscalation: true.
rules/integrations/gcp/privilege_escalation_gcp_gke_pod_host_pid.toml Detects HostPID enablement on pod create/update/patch events.
rules/integrations/gcp/privilege_escalation_gcp_gke_pod_host_network.toml Detects HostNetwork enablement on pod create/update/patch events.
rules/integrations/gcp/privilege_escalation_gcp_gke_pod_host_ipc.toml Detects HostIPC enablement on pod create/update/patch events.
rules/integrations/gcp/privilege_escalation_gcp_gke_excessive_linux_capabilities.toml Detects dangerous Linux capability additions in pod create events.
rules/integrations/gcp/persistence_gcp_gke_cluster_admin_role_binding.toml Detects modifications to a cluster-admin-related ClusterRoleBinding (logic/description mismatch flagged in comments).
rules/integrations/gcp/persistence_gcp_gke_admission_webhook_created_or_modified.toml Detects admission webhook config changes; exclusion scoping issue flagged in comments.
rules/integrations/gcp/execution_gcp_gke_user_exec_into_pod.toml New-terms rule for first-time user exec into pods.
rules/integrations/gcp/discovery_gcp_gke_suspicious_self_subject_review.toml Detects service account/node self-subject review activity.
rules/integrations/gcp/discovery_gcp_gke_api_request_failure_burst.toml ES
rules/integrations/gcp/credential_access_gcp_gke_secrets_list_unusual_source_asn.toml New-terms rule for first-time secret listing from unusual ASN orgs; scoping tweak flagged in comments.
rules/integrations/gcp/credential_access_gcp_gke_secret_access_suspicious_user_agent.toml Detects secrets get/list with suspicious user-agent fingerprints.
detection_rules/etc/non-ecs-schema.json Adds logs-gcp.audit-* field mappings referenced by the new rules.

@Aegrah Aegrah left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work, great effort. 🚀

Comment thread rules/integrations/gcp/discovery_gcp_gke_api_request_failure_burst.toml Outdated
Comment thread rules/integrations/gcp/discovery_gcp_gke_api_request_failure_burst.toml Outdated
Samirbous and others added 6 commits July 6, 2026 09:55
…_suspicious_user_agent.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
…urst.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
…urst.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
@Samirbous Samirbous merged commit 34507cc into main Jul 6, 2026
12 checks passed
@Samirbous Samirbous deleted the k8_other_sources branch July 6, 2026 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants