Kubernetes

Use the IBM® QRadar® Custom Properties for Kubernetes to closely monitor your Kubernetes deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Kubernetes

IBM Security QRadar Custom Properties for Kubernetes V1.0.2
IBM Security QRadar Custom Properties for Kubernetes V1.0.1
IBM Security QRadar Custom Properties for Kubernetes V1.0.0

IBM Security QRadar Custom Properties for Kubernetes V1.0.2

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Kubernetes V1.0.2.

Table 1. New or updated custom properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.2
Name	Optimized	Capture Group	Expressions
Container Image	Yes		JSON /"requestObject"/"spec"/"containers"[0]/"image"

_{(Back to top)}

IBM Security QRadar Custom Properties for Kubernetes V1.0.1

The following table shows the custom properties that are new or updated in IBM Security QRadar Custom Properties for Kubernetes V1.0.1.

Table 2. New or updated custom properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.1
Name	Optimized	Capture Group	Expressions
Namespace	Yes	1	objectRef[\":{]resource[":]+namespaces[\":]+,[\"]+name":"(.*?)"
Privileged Container	Yes	1	securityContext[\":\{]privileged[":](true)
Priviliged Container Name	No	1	securityContext[\":{]+privileged[":]+true}+,[\":\{]+name":"(.*?)"
Source Mount Point	Yes	1	volumeMounts"\:[{.*?\"mountPath[\":]([^\"])

_{(Back to top)}

IBM Security QRadar Custom Properties for Kubernetes V1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.0.

Table 3. Custom Properties in IBM Security QRadar Custom Properties for Kubernetes V1.0.0
Name	Optimized	Regex Capture Group	Expressions
API Path	No		JSON /"requestURI"
Container Image	No		JSON /"requestObject"/"spec"/"containers"[0]/"image"
Container Name	No		JSON /"requestObject"/"spec"/"containers"[0]/"name"
MessageID	No		JSON /"auditID"
Namespace	Yes		JSON /"objectRef"/"namespace"
Privileged Container	Yes	1	Regex \\"containers\\":.*?\\"securityContext\\":\{\\"privileged\\":(true)
Priviliged Container Name	No	1	Regex \\"containers\\":.\\"name\\":\\"(.?)\\",\\"securityContext\\":\{\\"privileged\\":true
Process CommandLine	Yes		Regex command=(.*?)container=
Reason	Yes		JSON /"responseStatus"/"reason"
Resource	Yes		JSON /"objectRef"/"resource"
Resource Name	Yes		JSON /"objectRef"/"name"
Role	Yes		JSON /"requestObject"/"roleRef"/"name"
Role Actions	Yes		JSON /"requestObject"/"rules"[0]/"verbs"[]
Role Assigned Resources	Yes		JSON /"requestObject"/"rules"[0]/"resources"[]
Target User Name	Yes	1	Regex "subjects"\:\[\{.*?\"name\"\:\"([^\"]+)\"
User Agent	No		JSON /"userAgent"

_{(Back to top)}