From 0d337ae800ec08676f8e99ea124aadd70f0cca43 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Mon, 27 Nov 2023 14:46:36 -0700 Subject: [PATCH] k8s pack (#974) --- packs/kubernetes.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 packs/kubernetes.yml diff --git a/packs/kubernetes.yml b/packs/kubernetes.yml new file mode 100644 index 000000000..bf290a291 --- /dev/null +++ b/packs/kubernetes.yml @@ -0,0 +1,22 @@ +AnalysisType: pack +PackID: PantherManaged.Kubernetes.Core +DisplayName: "Panther Core Kubernetes Pack" +Description: This is a group of detections that act on Kubernetes logs sourced from Amazon EKS. +PackDefinition: + IDs: + # Kubernetes scheduled queries and rules + - Kubernetes.CronJobCreatedOrModified + - Kubernetes.DaemonSetDeployed + - Kubernetes.IOCActivity + - Kubernetes.NewAdmissionControllerCreated + - Kubernetes.OverlyPermissivePod + - Kubernetes.PodAttachedHostNetwork + - Kubernetes.PodCreatedDefaultNameSpace + - Kubernetes.PodHostPathVolumeMount + - Kubernetes.PodUsingHostPIDNamespace + - Kubernetes.PodUsingIPCNamespace + - Kubernetes.PrivilegedPodCreated + - Kubernetes.SecretEnumeration + - Kubernetes.ServiceTypeNodePortDeployed + - Kubernetes.UnauthenticatedAPIRequest + - Kubernetes.UnauthorizedPodExecution \ No newline at end of file