data_sources/kubernetes_audit.yml

name: Kubernetes Audit
id: 6c25181a-0c07-4aaf-90e6-77ab1f0e6699
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for Kubernetes Audit
source: kubernetes
sourcetype: _json
supported_TA: []
fields:
- _time
- annotations.authorization.k8s.io/decision
- annotations.authorization.k8s.io/reason
- apiVersion
- auditID
- eventtype
- host
- index
- kind
- level
- linecount
- objectRef.apiGroup
- objectRef.apiVersion
- objectRef.namespace
- objectRef.resource
- punct
- requestReceivedTimestamp
- requestURI
- responseObject.apiVersion
- responseObject.code
- responseObject.details.group
- responseObject.details.kind
- responseObject.kind
- responseObject.message
- responseObject.reason
- responseObject.status
- responseStatus.code
- responseStatus.details.group
- responseStatus.details.kind
- responseStatus.message
- responseStatus.reason
- responseStatus.status
- source
- sourceIPs{}
- sourcetype
- splunk_server
- stage
- stageTimestamp
- tag
- tag::eventtype
- timestamp
- user.groups{}
- user.uid
- user.username
- userAgent
- verb
example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
  (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch
  is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
  \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch
  is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
  \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"requestReceivedTimestamp":"2023-12-07T14:44:53.358394Z","stageTimestamp":"2023-12-07T14:44:53.375985Z","annotations":{"authorization.k8s.io/decision":"forbid","authorization.k8s.io/reason":""}}'