Kubernetes

Use the IBM Security QRadar Custom Properties for Kubernetes to closely monitor your Kubernetes deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Kubernetes

IBM Security QRadar Custom Properties for Kubernetes V1.0.2

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Kubernetes V1.0.2.

Table 1. New or updated custom properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.2
Name Optimized Capture Group Expressions
Container Image Yes  
JSON
/"requestObject"/"spec"/"containers"[0]/"image"

(Back to top)

IBM Security QRadar Custom Properties for Kubernetes V1.0.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Kubernetes V1.0.1.

Table 2. New or updated custom properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.1
Name Optimized Capture Group Expressions
Namespace Yes 1 objectRef[\":{]resource[":]+namespaces[\":]+,[\"]+name":"(.*?)"
Privileged Container Yes 1 securityContext[\":\{]privileged[":](true)
Priviliged Container Name No 1 securityContext[\":{]+privileged[":]+true}+,[\":\{]+name":"(.*?)"
Source Mount Point Yes 1 volumeMounts"\:[{.*?\"mountPath[\":]([^\"])

(Back to top)

IBM Security QRadar Custom Properties for Kubernetes V1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.0.

Table 3. Custom Properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.0
Name Optimized Regex Capture Group Expressions
API Path No  
JSON
/"requestURI"
Container Image No  
JSON
/"requestObject"/"spec"/"containers"[0]/"image"
Container Name No  
JSON
/"requestObject"/"spec"/"containers"[0]/"name"
MessageID No  
JSON
/"auditID"
Namespace Yes  
JSON
/"objectRef"/"namespace"
Privileged Container Yes 1
Regex
\\"containers\\":.*?\\"securityContext\\":\{\\"privileged\\":(true)
Priviliged Container Name No 1
Regex
\\"containers\\":.*\\"name\\":\\"(.*?)\\",\\"securityContext\\":\{\\"privileged\\":true
Process CommandLine Yes  
Regex
command=(.*?)container=
Reason Yes  
JSON
/"responseStatus"/"reason"
Resource Yes  
JSON
/"objectRef"/"resource"
Resource Name Yes  
JSON
/"objectRef"/"name"
Role Yes  
JSON
/"requestObject"/"roleRef"/"name"
Role Actions Yes  
JSON
/"requestObject"/"rules"[0]/"verbs"[]
Role Assigned Resources Yes  
JSON
/"requestObject"/"rules"[0]/"resources"[]
Target User Name Yes 1
Regex
"subjects"\:\[\{.*?\"name\"\:\"([^\"]+)\"
User Agent No  
JSON
/"userAgent"

(Back to top)