search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.96k stars 498 forks source link

[Rule Tuning] Interactive Exec Command Launched Against A Running Container #3999

Open damianfedeczko opened 2 months ago

damianfedeczko commented 2 months ago

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml

Rule Tuning Type

Contextual Tuning - Customizing rules based on specific environment factors.

Description

The "Interactive Exec Command Launched Against A Running Container" rule could/should include and correlate the data from the Cloud Defend (D4C) and Kubernetes (Audit Logs) integration to provide information about the source.ip from which the exec command has been launched to allow defenders to potentially block further command execution from the provided IP.

Example Data

No response

imays11 commented 2 months ago

Hey @damianfedeczko, thanks for the request! Can you give some more information about what tuning to the rule you're looking for? Maybe some sample data as well.

damianfedeczko commented 2 months ago

Hello @imays11, thanks for your response! I'm looking at some enrichment for the mentioned alert; right now, an example event summary for the "Interactive Exec Command Launched Against A Running Container" rule alert looks like this:

image

From the alert data, we can check the fields like orchestrator.resource.ip and host.ip - which allow us to identify the container (and underlying host) the interactive command has been launched against.

What I'm missing in this rule is a data correlation with Kubernetes audit-logs dataset - kubernetes.audit_logs - a data field from the audit event such as source.ip or client.ip which would provide information about the IP address from which the exec command has been launched against the Kubernetes API, and effectively, against the running container.

So, the desired event summary would not only provide information about the command executed against a container, but also insights from where the API call to perform the kubectl exec action has originated. Hope this makes sense, thanks for looking into this!

imays11 commented 1 month ago

Hi @damianfedeczko thank you for your patience. So what you're asking for isn't something that can be accomplished via a rule tuning, you're looking to cross correlate data from multiple integrations. This is something that requires more work as a feature within the Security App and is currently on the roadmap for Elastic team responsible for this type of scenario. You could however, use ES|QL to correlate signals in the alerts index. I will gladly try to provide you an ES|QL query that might work to correlate the alerts from both related rules "Interactive Exec Command Launched Against A Running Container" from cloud_defend and "Kubernetes Exec Into Pod" from K8s Audit logs integration, if you can provide me with sample event data for those alerts.