Kubernetes auditing

The Kubernetes auditing system records the activities of users, administrators, and other components, that have affected the cluster. Prisma Cloud can ingest, analyze, and alert on security-relevant events. Write custom rules or leverage Prisma Cloud Labs prewritten rules to assess the incoming audit stream and surface suspicious activity.
Audits types are limited to the ones been configured by the audit policy of the cloud provider.

Rule library

Custom rules are stored in a central library, where they can be reused. Besides your own rules, Prisma Cloud Labs also distributes rules via the Intelligence Stream. These rules are shipped in a disabled state by default. You can review, and optionally apply them at any time.
Your Kubernetes audit policy is defined in
Defend > Access > Kubernetes
, and formulated from the rules in your library. There are four types of rules, but the only one relevant to the audit policy is the kubernetes-audit type. Custom rules are written and managed in Console under
Defend > Custom configs > Runtime
with an online editor. The compiler checks for syntax errors when you save a rule.

Expression grammar

Expressions let you examine contents of a Kubernetes audit. Expressions have the following grammar:
  • term
    --
    integer | string | keyword | event | '(' expression ')' | unaryOp term
  • in
    --
    '(' integer | string (',' integer | string)*)?
  • op
    --
    and | or | > | < | >= | ⇐ | = | !=
  • unaryOp
    --
    not
  • keyword
    --
    startswith | contains
  • string
    --
    Strings must be enclosed in double quotes
  • integer
    --
    int
  • event
    --
    process, file system, or network

Kubernetes audit events

When Prisma Cloud receives an audit, it is assessed against your policy. Like all policies in Prisma Cloud, rule order is important. Rules are processed top to bottom, and processing stops at the first match. When a rule matches, an alert is raised.
Write rules to surface audits of interest. Rules are written with the jpath function. The jpath function extracts fields from JSON objects, which is the format of a Kubernetes audit. The extracted string can then be compared against strings of interest. The primary operators for jpath expressions are '=', 'in', and 'contains'. For non-trivial examples, look at the Prisma Cloud Lab rules.
The argument to jpath is a single string. The right side of the expression must also be a string. A basic rule with a single jpath expressions has the following form:
jpath("path.in.json.object") = "something"
Let’s look at some examples using the following JSON object as our example audit.
{ "user":{ "uid":"1234", "username":"some-user-name", "groups":[ "group1", "group2" ] }, "stage":"ResponseComplete" }
To examine user’s UID, use the following syntax. This expression evaluates to true.
jpath("user.uid") = "1234"
To examine