This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Parse a specific field (runasuser) from kubernetes into SecOps

Posted on 02-26-2025 02:14 AM
keso
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello! 

When a deployment is created in Kubernetes, it is possible to add a field as part of the securityContext named runAsUserIf the value in this field is 0, that means the deployment is run as root, which is not good at all from a security perspective. So, we would like to detect when this happens using Chronicle.

In the documentation (https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-audit-logs), it is possible to see an entry that ends with runAsUser, so that means the parser is able to do so. Also in the code it is shown:

keso_0-1740564721136.png

But when I create the deployment and SecOps process it, the field is not display. What could I do?  

keso_1-1740564760297.png

 

0 2 270
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
raybrian
Staff
Reply posted on --/--/---- --:-- AM

Hi Keso.

You can create a Parser extension to map this field correctly. If you share your raw log, log type/parser used, and a bit more information on what you're trying to do, I can help you write the parser extension.

0 Likes

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @keso,

Not seen a raw log containing this, maybe it's not a string within the raw log, and needs converting to a string and will successfully output. If you open a support ticket they should be able to look into this!

Kind Regards,

Ayman

0 Likes
Top Solution Authors
View all