Data Source: Kubernetes Audit

Description

Data source object for Kubernetes Audit

Details

Property Value
Source kubernetes
Sourcetype _json

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">annotations.authorization.k8s.io/decision</span>
  
  <span class="pill kill-chain">annotations.authorization.k8s.io/reason</span>
  
  <span class="pill kill-chain">apiVersion</span>
  
  <span class="pill kill-chain">auditID</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">kind</span>
  
  <span class="pill kill-chain">level</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">objectRef.apiGroup</span>
  
  <span class="pill kill-chain">objectRef.apiVersion</span>
  
  <span class="pill kill-chain">objectRef.namespace</span>
  
  <span class="pill kill-chain">objectRef.resource</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">requestReceivedTimestamp</span>
  
  <span class="pill kill-chain">requestURI</span>
  
  <span class="pill kill-chain">responseObject.apiVersion</span>
  
  <span class="pill kill-chain">responseObject.code</span>
  
  <span class="pill kill-chain">responseObject.details.group</span>
  
  <span class="pill kill-chain">responseObject.details.kind</span>
  
  <span class="pill kill-chain">responseObject.kind</span>
  
  <span class="pill kill-chain">responseObject.message</span>
  
  <span class="pill kill-chain">responseObject.reason</span>
  
  <span class="pill kill-chain">responseObject.status</span>
  
  <span class="pill kill-chain">responseStatus.code</span>
  
  <span class="pill kill-chain">responseStatus.details.group</span>
  
  <span class="pill kill-chain">responseStatus.details.kind</span>
  
  <span class="pill kill-chain">responseStatus.message</span>
  
  <span class="pill kill-chain">responseStatus.reason</span>
  
  <span class="pill kill-chain">responseStatus.status</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourceIPs{}</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">stage</span>
  
  <span class="pill kill-chain">stageTimestamp</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">user.groups{}</span>
  
  <span class="pill kill-chain">user.uid</span>
  
  <span class="pill kill-chain">user.username</span>
  
  <span class="pill kill-chain">userAgent</span>
  
  <span class="pill kill-chain">verb</span>
  
</div>

Example Log

1{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2 (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"requestReceivedTimestamp":"2023-12-07T14:44:53.358394Z","stageTimestamp":"2023-12-07T14:44:53.375985Z","annotations":{"authorization.k8s.io/decision":"forbid","authorization.k8s.io/reason":""}}

Source: GitHub | Version: 1