Added DataConnector (alcide_kaudit.json) and Alcide logo (#510)
* Added DataConnector (alcide_kaudit.json) and Alcide logo * Sample data files Added 4 sample data files. * Replaced fixed sample data files * Create .DS_Store * Update alcide_kaudit_activity_1_CL.json * Update alcide_kaudit.json * Delete .DS_Store * Update alcide_kaudit.json * Update alcide_kaudit.json
This commit is contained in:
alonalcide
GitHub
Родитель
21067c054e
Коммит
b05398ed56
|
|
@ -0,0 +1,97 @@
|
|||
{
|
||||
"id": "Alcide_kAudit",
|
||||
"title": "Alcide kAudit",
|
||||
"publisher": "Alcide",
|
||||
"descriptionMarkdown": "Alcide kAudit connector allows you to automatically export your Kubernetes cluster audit logs into Azure Sentinel in real-time. This enables enhanced visibility and observability into your Kubernetes audit logs, providing robust security and monitoring capabilities for forensics purposes.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Anomalies and Incidents - All Data",
|
||||
"legend": "alcide_kaudit_detections_1_CL",
|
||||
"baseQuery": "alcide_kaudit_detections_1_CL"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description" : "All detections (anomalies and incidents) entries",
|
||||
"query": "\nalcide_kaudit_detections_1_CL\n| sort by TimeGenerated\n"
|
||||
},
|
||||
{
|
||||
"description" : "All audit activity for a Secret resource type, summarized count by resource namespace",
|
||||
"query": "\nalcide_kaudit_activity_1_CL\n| where resource_type_s == \"secrets\"\n| summarize count() by resource_namespace_s"
|
||||
},
|
||||
{
|
||||
"description" : "Audit activity, summarized by principal, Type and Caller IP",
|
||||
"query": "\nalcide_kaudit_selections_details_1_CL\n| summarize count() by principal_s, Type, caller_ip_s"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "alcide_kaudit_activity_1_CL",
|
||||
"lastDataReceivedQuery": "alcide_kaudit_activity_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
},
|
||||
{
|
||||
"name": "alcide_kaudit_detections_1_CL",
|
||||
"lastDataReceivedQuery": "alcide_kaudit_detections_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
},
|
||||
{
|
||||
"name": "alcide_kaudit_selections_count_1_CL",
|
||||
"lastDataReceivedQuery": "alcide_kaudit_selections_count_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
},
|
||||
{
|
||||
"name": "alcide_kaudit_selections_details_1_CL",
|
||||
"lastDataReceivedQuery": "alcide_kaudit_selections_details_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"alcide_kaudit_activity_1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"write": true,
|
||||
"read": true,
|
||||
"delete": true
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"title": "",
|
||||
"description": "Follow the step-by-step instructions provided in the [Alcide kAudit Installation Guide](https://get.alcide.io/hubfs/Azure%20Sentinel%20Integration%20with%20kAudit.pdf)",
|
||||
"instructions": [
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"WorkspaceId"
|
||||
],
|
||||
"label": "Workspace ID"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
},
|
||||
{
|
||||
"parameters": {
|
||||
"fillWith": [
|
||||
"PrimaryKey"
|
||||
],
|
||||
"label": "Primary Key"
|
||||
},
|
||||
"type": "CopyableLabel"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
Двоичный файл не отображается.
|
После Ширина: | Высота: | Размер: 2.1 KiB |
|
|
@ -0,0 +1,384 @@
|
|||
[{"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/scheduling.k8s.io/v1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "b9412f02-91d1-46b4-8f2c-9628b9001a11",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660021,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
|
||||
{"principal": "system:node:ip-192-168-215-208.us-west-2.compute.internal",
|
||||
"caller_ip_asn": "AMAZON-02",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AROA5AHBLVHAHGZPH4LJX",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:node:ip-192-168-215-208.us-west-2.compute.internal",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/storage.k8s.io/v1beta1/csidrivers?resourceVersion=1222086&timeout=9m7s&timeoutSeconds=547&watch=true",
|
||||
"api_group": "storage.k8s.io",
|
||||
"verb": "watch",
|
||||
"api_version": "v1beta1",
|
||||
"id": "7a4ebd7a-f3b4-4194-b8f2-885432a1029f",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"time": 1583076660063,
|
||||
"resource_type": "csidrivers",
|
||||
"ua_kubelet": "v1.14.8",
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:bootstrappers; system:nodes",
|
||||
"caller_ip": "35.160.67.136",
|
||||
"caller_ip_country": "US",
|
||||
"non_authorized": false,
|
||||
"resource_name": "csidrivers",
|
||||
"original_user_agent": "kubelet/v1.14.8 (linux/amd64) kubernetes/b8860f6"},
|
||||
{"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/scheduling.k8s.io/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "e76ce955-1869-4e86-9fd8-14eca13c7469",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660071,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
|
||||
{"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/coordination.k8s.io/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "17923faa-0cdc-4cf1-af08-fd734315ddeb",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660121,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
|
||||
{"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:generic-garbage-collector",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/node.k8s.io/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "29ef7a96-08c5-4dd2-b154-778b2d779d92",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660171,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "371b3edc-c130-4c54-b204-363b872473b8",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660363,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/api?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "e11e50e5-381c-4953-bfcf-f247670a5f46",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660363,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/crd.k8s.amazonaws.com/v1alpha1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "872745fb-eca2-4b5d-9dd4-63ca2dd7e6f7",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660364,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/authorization.k8s.io/v1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "46f014c4-79ec-42a7-9794-9ccfa34338a8",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660365,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/policy/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "85188a2c-a632-4e4d-bfef-7e9476a9d510",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660365,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/api/v1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "c20bb74a-1017-4fd8-a60d-aba5d84facdd",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660365,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/autoscaling/v2beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "5e707d6b-b219-4668-a46f-d75727b43c42",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660366,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/apiregistration.k8s.io/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "61a4cd02-8716-4deb-9494-44fbc7a58bb9",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660366,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/authentication.k8s.io/v1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "a2a39aae-df26-4b81-8711-caadf749104c",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660366,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/authentication.k8s.io/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "aa334163-141d-4708-a8b9-c740a856067d",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660366,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/apiregistration.k8s.io/v1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "faef4f40-a520-44b8-9b50-ea44634cf4d8",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660366,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/storage.k8s.io/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "0f0ab786-8c50-4a63-b76b-73b6b83131c4",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660367,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/storage.k8s.io/v1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "1b80c99b-776e-408e-bfb8-7704fa35a7c4",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660367,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/batch/v1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "46d509e8-5dea-41a5-883d-5f1712ae5440",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660367,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
|
||||
{"principal": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
|
||||
"cluster": "aks-test",
|
||||
"username": "system:serviceaccount:kube-system:resourcequota-controller",
|
||||
"ua_linux": "amd6",
|
||||
"uri": "/apis/extensions/v1beta1?timeout=32s",
|
||||
"verb": "get",
|
||||
"id": "564b4c53-1af3-45cf-9c9a-de4024345531",
|
||||
"timestamp": "2020-03-01T15:31:00+0000",
|
||||
"status_code": 200,
|
||||
"cluster_role": "system:discovery",
|
||||
"ua_kube_controller_manager": "v1.14.9",
|
||||
"time": 1583076660367,
|
||||
"access_type": "read",
|
||||
"user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
|
||||
"caller_ip": "10.0.97.212",
|
||||
"non_authorized": false,
|
||||
"resource_name": "",
|
||||
"original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"}]
|
||||
|
|
@ -0,0 +1,237 @@
|
|||
[{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in remote commands",
|
||||
"cluster": "aks-test",
|
||||
"context_subresource_exec_command": "ls /home",
|
||||
"reasons_0_values_high": "1",
|
||||
"timestamp": "2020-03-01T14:36:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583073360000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unique remote commands in access attempts",
|
||||
"reasons_0_doc": "change in count of unique remote commands in write access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in remote commands",
|
||||
"cluster": "aks-test",
|
||||
"context_subresource_exec_command": "ls /home",
|
||||
"reasons_0_values_high": "1",
|
||||
"timestamp": "2020-03-01T14:36:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583073360000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of remote commands in access attempts",
|
||||
"reasons_0_doc": "change in count of remote commands in write access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in remote commands",
|
||||
"cluster": "aks-test",
|
||||
"context_subresource_exec_command": "cat /etc/passwd; ls; ls /bin; sh",
|
||||
"reasons_0_values_high": "4",
|
||||
"timestamp": "2020-03-01T15:12:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075520000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unique remote commands in access attempts",
|
||||
"reasons_0_doc": "change in count of unique remote commands in write access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in remote shells",
|
||||
"cluster": "aks-test",
|
||||
"reasons_0_values_high": "4",
|
||||
"timestamp": "2020-03-01T15:12:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075520000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unique remote shells",
|
||||
"reasons_0_doc": "change in count of unique remote shells attempts on resources"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in remote commands",
|
||||
"cluster": "aks-test",
|
||||
"context_subresource_exec_command": "cat /etc/passwd; ls; ls /bin; sh",
|
||||
"reasons_0_values_high": "6",
|
||||
"timestamp": "2020-03-01T15:12:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075520000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of remote commands in access attempts",
|
||||
"reasons_0_doc": "change in count of remote commands in write access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "cluster",
|
||||
"short_doc": "change in remote shells",
|
||||
"cluster": "aks-test",
|
||||
"reasons_0_values_high": "4",
|
||||
"timestamp": "2020-03-01T15:12:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075520000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "cluster",
|
||||
"doc": "unusual change in count of unique remote shells",
|
||||
"reasons_0_doc": "change in count of unique remote shells attempts on resources"},
|
||||
{"confidence": "high",
|
||||
"etype": "cluster",
|
||||
"short_doc": "change in remote commands",
|
||||
"cluster": "aks-test",
|
||||
"context_subresource_exec_command": "cat /etc/passwd; ls; ls /bin; sh",
|
||||
"reasons_0_values_high": "4",
|
||||
"timestamp": "2020-03-01T15:12:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075520000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "cluster",
|
||||
"doc": "unusual change in count of unique remote commands in access attempts",
|
||||
"reasons_0_doc": "change in count of unique remote commands in write access attempts"},
|
||||
{"confidence": "high",
|
||||
"context_caller_supplied_user_agent": "test; test (compatible; +http://www.google.com/bot.html); test (iPhone; CPU iPhone OS 12_2 like Mac OS X) (KHTML, like Gecko)",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in access tool",
|
||||
"cluster": "aks-test",
|
||||
"reasons_0_values_high": "3",
|
||||
"timestamp": "2020-03-01T15:15:00+0000",
|
||||
"reasons_0_direction": "read",
|
||||
"direction": "read",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075700000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in tool used in access attempts",
|
||||
"reasons_0_doc": "change in count of unique caller user-agents in read access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"context_unusual_uri": "/configs; /debug/pprof; /login/test; /secrets/admin",
|
||||
"short_doc": "change in targets of access attempts",
|
||||
"cluster": "aks-test",
|
||||
"reasons_0_values_high": "4",
|
||||
"timestamp": "2020-03-01T15:15:00+0000",
|
||||
"reasons_0_direction": "read",
|
||||
"direction": "read",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075700000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unique unusual URIs in access attempts",
|
||||
"reasons_0_doc": "change in count of unique unusual URIs in read access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in status reason of access attempts",
|
||||
"cluster": "aks-test",
|
||||
"context_status_reason": "NotFound",
|
||||
"reasons_0_values_high": "5",
|
||||
"timestamp": "2020-03-01T15:15:00+0000",
|
||||
"reasons_0_direction": "read",
|
||||
"direction": "read",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075700000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unexpected status reason in access attempts",
|
||||
"reasons_0_doc": "change in count of unexpected status reasons in read access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"context_unusual_uri": "/configs; /debug/pprof; /login/test; /secrets/admin",
|
||||
"short_doc": "change in targets of access attempts",
|
||||
"cluster": "aks-test",
|
||||
"reasons_0_values_high": "5",
|
||||
"timestamp": "2020-03-01T15:15:00+0000",
|
||||
"reasons_0_direction": "read",
|
||||
"direction": "read",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075700000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unusual URIs in access attempts",
|
||||
"reasons_0_doc": "change in count of unusual URIs in read access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "cluster",
|
||||
"context_unusual_uri": "/configs; /debug/pprof; /login/test; /secrets/admin",
|
||||
"short_doc": "change in targets of access attempts",
|
||||
"cluster": "aks-test",
|
||||
"reasons_0_values_high": "4",
|
||||
"timestamp": "2020-03-01T15:15:00+0000",
|
||||
"reasons_0_direction": "read",
|
||||
"direction": "read",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583075700000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "cluster",
|
||||
"doc": "unusual change in count of unique unusual URIs in access attempts",
|
||||
"reasons_0_doc": "change in count of unique unusual URIs in read access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in unauthorized access attempts",
|
||||
"cluster": "aks-test",
|
||||
"reasons_0_values_high": "6",
|
||||
"timestamp": "2020-03-01T15:27:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583076420000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unauthorized access attempts",
|
||||
"reasons_0_doc": "change in count of unauthorized write access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in status reason of access attempts",
|
||||
"cluster": "aks-test",
|
||||
"context_status_reason": "Forbidden; NotFound",
|
||||
"reasons_0_values_high": "9",
|
||||
"timestamp": "2020-03-01T15:27:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583076420000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "kubernetes-admin",
|
||||
"doc": "unusual change in count of unexpected status reason in access attempts",
|
||||
"reasons_0_doc": "change in count of unexpected status reasons in write access attempts"},
|
||||
{"confidence": "high",
|
||||
"etype": "principal",
|
||||
"short_doc": "change in status reason of access attempts",
|
||||
"cluster": "aks-test",
|
||||
"context_status_reason": "Forbidden",
|
||||
"reasons_0_values_high": "4",
|
||||
"timestamp": "2020-03-01T15:27:00+0000",
|
||||
"reasons_0_direction": "write",
|
||||
"direction": "write",
|
||||
"reasons_0_period": 180000,
|
||||
"time": 1583076420000,
|
||||
"category": "anomaly",
|
||||
"period": 180000,
|
||||
"eid": "system:kube-controller-manager",
|
||||
"doc": "unusual change in count of unexpected status reason in access attempts",
|
||||
"reasons_0_doc": "change in count of unexpected status reasons in write access attempts"}]
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
[{"cluster": "aks-test",
|
||||
"principal": "kubernetes-admin",
|
||||
"rule": "pod execution",
|
||||
"resource_namespace": "kube-system",
|
||||
"time": 1583076422347,
|
||||
"timestamp": "2020-03-01T15:00:00+0000",
|
||||
"count": 10,
|
||||
"count-period": 3600000},
|
||||
{"cluster": "aks-test",
|
||||
"principal": "180.17.6.1",
|
||||
"caller_ip": "180.17.6.1",
|
||||
"caller_ip-country": "IL",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"rule": "pod execution",
|
||||
"resource_namespace": "kube-system",
|
||||
"time": 1583076422347,
|
||||
"timestamp": "2020-03-01T16:00:00+0000",
|
||||
"count": 1,
|
||||
"count-period": 3600000},
|
||||
{"cluster": "aks-test",
|
||||
"principal": "kubernetes-admin",
|
||||
"rule": "pod creation",
|
||||
"resource_namespace": "kube-system",
|
||||
"time": 1583076422347,
|
||||
"timestamp": "2020-03-01T16:00:00+0000",
|
||||
"count": 3,
|
||||
"count-period": 3600000},
|
||||
{"cluster": "aks-test",
|
||||
"principal": "kubernetes-admin",
|
||||
"rule": "secrets access",
|
||||
"resource_namespace": "kube-system",
|
||||
"time": 1583076422347,
|
||||
"timestamp": "2020-03-01T18:00:00+0000",
|
||||
"count": 3,
|
||||
"count-period": 3600000}]
|
||||
|
|
@ -0,0 +1,436 @@
|
|||
[{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "kube-proxy",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=ls&command=%2Fbin&container=kube-proxy&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "3cf94957-7435-40a9-98ad-399482337379",
|
||||
"timestamp": "2020-03-01T15:09:03+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls /bin",
|
||||
"subresource": "exec",
|
||||
"time": 1583075343771,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"ua_kubectl": "v1.14.10",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/kube-proxy-ttffx",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "kube-proxy",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stdin": "true",
|
||||
"subresource_exec_tty": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=sh&container=kube-proxy&stdin=true&stdout=true&tty=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "42498a0d-7a75-4a43-8c4d-1f4a724d5fa9",
|
||||
"timestamp": "2020-03-01T15:09:09+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "sh",
|
||||
"subresource": "exec",
|
||||
"time": 1583075349980,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"ua_kubectl": "v1.14.10",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/kube-proxy-ttffx",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "kube-proxy",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-wtq8x/exec?command=cat&command=%2Fetc%2Fpasswd&container=kube-proxy&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "7cfd1bf1-cf75-4711-b62d-712a5f7670eb",
|
||||
"timestamp": "2020-03-01T15:09:25+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "cat /etc/passwd",
|
||||
"subresource": "exec",
|
||||
"time": 1583075365850,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"ua_kubectl": "v1.14.10",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/kube-proxy-wtq8x",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "kube-proxy",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=ls&command=%2Fbin&container=kube-proxy&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "45935bdd-8cfe-4872-a66f-c9578c27591c",
|
||||
"timestamp": "2020-03-01T15:10:17+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls /bin",
|
||||
"subresource": "exec",
|
||||
"time": 1583075417171,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"ua_kubectl": "v1.14.10",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/kube-proxy-ttffx",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "kube-proxy",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-kzzc5/exec?command=ls&container=kube-proxy&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "5a4c2f26-345d-44e2-9f52-a462aaf34a5a",
|
||||
"timestamp": "2020-03-01T15:11:53+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583075513549,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/kube-proxy-kzzc5",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "coredns",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/coredns-84549585c-zsv9t/exec?command=ls&container=coredns&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "ab6eba8e-9e9b-490c-b72e-f53875b98264",
|
||||
"timestamp": "2020-03-01T15:11:57+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583075517401,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/coredns-84549585c-zsv9t",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "aws-node",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/aws-node-9dxs2/exec?command=ls&container=aws-node&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "5bf2ff16-7170-401b-a4c8-9679e9c3a8ab",
|
||||
"timestamp": "2020-03-01T15:12:01+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583075521306,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/aws-node-9dxs2",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "coredns",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/coredns-84549585c-zsv9t/exec?command=ls&container=coredns&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "91621b35-d919-47cb-97c6-1b9194735047",
|
||||
"timestamp": "2020-03-01T15:12:05+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583075525265,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/coredns-84549585c-zsv9t",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "aws-node",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/aws-node-xnslz/exec?command=ls&container=aws-node&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "a9f7ad8d-5699-46c1-8af9-539d8eb085a8",
|
||||
"timestamp": "2020-03-01T15:12:09+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583075529184,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/aws-node-xnslz",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "coredns",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/coredns-84549585c-zsv9t/exec?command=ls&container=coredns&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "ef9d851a-8280-4a60-8f40-44f88538966e",
|
||||
"timestamp": "2020-03-01T15:27:02+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583076422347,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/coredns-84549585c-zsv9t",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "aws-node",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/aws-node-9dxs2/exec?command=ls&container=aws-node&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "5ce9e69a-ad40-4794-ac56-cc7fe0b4b752",
|
||||
"timestamp": "2020-03-01T15:27:06+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583076426279,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/aws-node-9dxs2",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "aws-node",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/aws-node-n7tw4/exec?command=ls&container=aws-node&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "dced3d99-909d-48a8-b52b-90e959b80f42",
|
||||
"timestamp": "2020-03-01T15:27:10+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583076430125,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/aws-node-n7tw4",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "aws-node",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/aws-node-7d5tn/exec?command=ls&container=aws-node&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "43cee327-a785-4dd1-9017-6bba6953f124",
|
||||
"timestamp": "2020-03-01T15:27:14+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583076434100,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/aws-node-7d5tn",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "aws-node",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/aws-node-xnslz/exec?command=ls&container=aws-node&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "3391d6c1-106f-4acf-b298-0ca9fad13b9e",
|
||||
"timestamp": "2020-03-01T15:27:18+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls",
|
||||
"subresource": "exec",
|
||||
"ua_kubectl_exe": "v1.14.10",
|
||||
"time": 1583076438039,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/aws-node-xnslz",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
|
||||
{"principal": "kubernetes-admin",
|
||||
"caller_ip_asn": "Partner Communications Ltd.",
|
||||
"subresource_exec_container": "kube-proxy",
|
||||
"user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
|
||||
"rule": "pod execution",
|
||||
"cluster": "aks-test",
|
||||
"subresource_exec_stderr": "true",
|
||||
"username": "kubernetes-admin",
|
||||
"uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=ls&command=%2Fbin&container=kube-proxy&stderr=true&stdout=true",
|
||||
"verb": "create",
|
||||
"api_version": "v1",
|
||||
"resource_namespace": "kube-system",
|
||||
"id": "aeadbc36-0d27-4431-9b2f-72860ed1d413",
|
||||
"timestamp": "2020-03-01T15:38:12+0000",
|
||||
"subresource_exec_stdout": "true",
|
||||
"status_code": 101,
|
||||
"subresource_exec_command": "ls /bin",
|
||||
"subresource": "exec",
|
||||
"time": 1583077092076,
|
||||
"resource_type": "pods",
|
||||
"access_type": "write",
|
||||
"user_groups": "system:authenticated; system:masters",
|
||||
"ua_kubectl": "v1.14.10",
|
||||
"caller_ip": "77.125.20.90",
|
||||
"caller_ip_country": "IL",
|
||||
"non_authorized": false,
|
||||
"resource_name": "kube-system/pods/kube-proxy-ttffx",
|
||||
"ua_windows": "amd6",
|
||||
"original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"}]
|
||||
Загрузка…
Ссылка в новой задаче