Kubernetes.audit_logs: fix processing of Azure AKS audit logs

packages/kubernetes/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.81.1"
+  changes:
+    - description: Fix processing of Azure AKS audit logs.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15585
 - version: "1.81.0"
   changes:
     - description: Support for collecting audit logs from cloud providers.

packages/kubernetes/data_stream/audit_logs/_dev/test/pipeline/test-audit.log

@@ -1,4 +1,5 @@
 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"abcde12345","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"get","user":{"username":"system:serviceaccounts:default:default","uid":"12345678","groups":["system:authenticated"]},"sourceIPs":["67.43.156.1"],"userAgent":"kubectl/v1.26.1","objectRef":{"resource":"pods","namespace":"default","name":"my-pod","apiGroup":"","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2025-03-04T06:22:18.819232Z","stageTimestamp":"2025-03-04T06:22:18.822532Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"abcde12345","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/elastic-agent-cluster-test","verb":"get","user":{"username":"system:serviceaccount:kube-system:elastic-agent","uid":"12345678","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"extra":{}},"sourceIPs":["67.43.156.1"],"userAgent":"elastic-agent/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"leases","namespace":"kube-system","name":"elastic-agent-cluster-test","apiGroup":"coordination.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2025-07-16T10:12:56.525137Z","stageTimestamp":"2025-07-16T10:12:56.563177Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"elastic-agent/kube-system\" of Role \"elastic-agent\" to ServiceAccount \"elastic-agent/kube-system\""}}
 {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"abcde12345","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/elastic-agent-cluster-test","verb":"get","user":{"username":"system:serviceaccount:kube-system:elastic-agent","uid":"12345678","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"extra":{}},"sourceIPs":["67.43.156.1"],"userAgent":"elastic-agent/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"leases","namespace":"kube-system","name":"elastic-agent-cluster-test","apiGroup":"coordination.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2025-07-16T10:12:56.525137Z","stageTimestamp":"2025-07-16T10:12:56.563177Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"elastic-agent/kube-system\" of Role \"elastic-agent\" to ServiceAccount \"elastic-agent/kube-system\""}}
-{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:gke-master-healthcheck"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.get","resource":"readyz"}],"methodName":"io.k8s.get","requestMetadata":{"callerIp":"67.43.156.1","callerSuppliedUserAgent":"gke-master-healthcheck"},"resourceName":"readyz","serviceName":"k8s.io","status":{"code":0}},"insertId":"1234abcd","resource":{"type":"k8s_cluster","labels":{"cluster_name":"test-cluster","location":"us-central1","project_id":"elastic-siem"}},"timestamp":"2025-07-13T08:38:39.127266Z","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:authenticated\""},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"id":"1234abcd","producer":"k8s.io","first":true,"last":true},"receiveTimestamp":"2025-07-13T08:38:41.005864307Z"}
+{"protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog","authenticationInfo":{"principalEmail":"system:gke-master-healthcheck"},"authorizationInfo":[{"granted":true,"permission":"io.k8s.get","resource":"readyz"}],"methodName":"io.k8s.get","requestMetadata":{"callerIp":"67.43.156.1","callerSuppliedUserAgent":"gke-master-healthcheck"},"resourceName":"readyz","serviceName":"k8s.io","status":{"code":0}},"insertId":"1234abcd","resource":{"type":"k8s_cluster","labels":{"cluster_name":"test-cluster","location":"us-central1","project_id":"elastic-siem"}},"timestamp":"2025-07-13T08:38:39.127266Z","labels":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:public-info-viewer\" of ClusterRole \"system:public-info-viewer\" to Group \"system:authenticated\""},"logName":"projects/elastic-siem/logs/cloudaudit.googleapis.com%2Fdata_access","operation":{"id":"1234abcd","producer":"k8s.io","first":true,"last":true},"receiveTimestamp":"2025-07-13T08:38:41.005864307Z"}
+{"category":"kube-audit-admin","operationName":"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read","properties":{"containerID":"aaaa1111","log":{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"abcde12345","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/elastic-agent-cluster-test","verb":"update","user":{"username":"aksService","groups":["system:masters","system:authenticated"],"extra":{}},"sourceIPs":["67.43.156.1"],"userAgent":"elastic-agent/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"leases","namespace":"kube-system","name":"elastic-agent-cluster-test","uid":"12345678","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"12345678"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2025-09-30T06:23:35.091134Z","stageTimestamp":"2025-09-30T06:23:35.101182Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}},"pod":"kube-apiserver-1234567890","stream":"stdout"},"resourceId":"/SUBSCRIPTIONS/1234567890/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/TEST-AKS","serviceBuild":"na","time":"2025-09-30T06:23:35.101355367Z"}

packages/kubernetes/data_stream/audit_logs/_dev/test/pipeline/test-audit.log-expected.json

@@ -323,6 +323,100 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-09-30T06:23:35.101Z",
+            "client": {
+                "ip": [
+                    "67.43.156.1"
+                ]
+            },
+            "event": {
+                "action": "update",
+                "kind": "event",
+                "original": "{\"category\":\"kube-audit-admin\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"containerID\":\"aaaa1111\",\"log\":{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Metadata\",\"auditID\":\"abcde12345\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/elastic-agent-cluster-test\",\"verb\":\"update\",\"user\":{\"username\":\"aksService\",\"groups\":[\"system:masters\",\"system:authenticated\"],\"extra\":{}},\"sourceIPs\":[\"67.43.156.1\"],\"userAgent\":\"elastic-agent/v0.0.0 (linux/amd64) kubernetes/$Format\",\"objectRef\":{\"resource\":\"leases\",\"namespace\":\"kube-system\",\"name\":\"elastic-agent-cluster-test\",\"uid\":\"12345678\",\"apiGroup\":\"coordination.k8s.io\",\"apiVersion\":\"v1\",\"resourceVersion\":\"12345678\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2025-09-30T06:23:35.091134Z\",\"stageTimestamp\":\"2025-09-30T06:23:35.101182Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"\"}},\"pod\":\"kube-apiserver-1234567890\",\"stream\":\"stdout\"},\"resourceId\":\"/SUBSCRIPTIONS/1234567890/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/TEST-AKS\",\"serviceBuild\":\"na\",\"time\":\"2025-09-30T06:23:35.101355367Z\"}",
+                "outcome": "success"
+            },
+            "kubernetes": {
+                "audit": {
+                    "aks_metadata": {
+                        "category": "kube-audit-admin",
+                        "container_id": "aaaa1111",
+                        "operation_name": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read",
+                        "pod": "kube-apiserver-1234567890",
+                        "resource_id": "/SUBSCRIPTIONS/1234567890/RESOURCEGROUPS/TEST-RG/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/TEST-AKS",
+                        "service_build": "na",
+                        "stream": "stdout",
+                        "time": "2025-09-30T06:23:35.101355367Z"
+                    },
+                    "annotations": {
+                        "authorization_k8s_io/decision": "allow"
+                    },
+                    "apiVersion": "audit.k8s.io/v1",
+                    "auditID": "abcde12345",
+                    "kind": "Event",
+                    "level": "Metadata",
+                    "objectRef": {
+                        "apiGroup": "coordination.k8s.io",
+                        "apiVersion": "v1",
+                        "name": "elastic-agent-cluster-test",
+                        "namespace": "kube-system",
+                        "resource": "leases",
+                        "resourceVersion": "12345678",
+                        "uid": "12345678"
+                    },
+                    "requestReceivedTimestamp": "2025-09-30T06:23:35.091134Z",
+                    "requestURI": "/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/elastic-agent-cluster-test",
+                    "responseStatus": {
+                        "code": 200
+                    },
+                    "sourceIPs": [
+                        "67.43.156.1"
+                    ],
+                    "stage": "ResponseComplete",
+                    "stageTimestamp": "2025-09-30T06:23:35.101182Z",
+                    "user": {
+                        "groups": [
+                            "system:masters",
+                            "system:authenticated"
+                        ],
+                        "username": "aksService"
+                    },
+                    "userAgent": "elastic-agent/v0.0.0 (linux/amd64) kubernetes/$Format",
+                    "verb": "update"
+                }
+            },
+            "orchestrator": {
+                "api_version": "audit.k8s.io/v1",
+                "namespace": "kube-system",
+                "resource": {
+                    "name": "elastic-agent-cluster-test",
+                    "type": "leases"
+                },
+                "type": "kubernetes"
+            },
+            "related": {
+                "ip": [
+                    "67.43.156.1"
+                ],
+                "user": [
+                    "aksService"
+                ]
+            },
+            "source": {
+                "ip": [
+                    "67.43.156.1"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "aksService"
+            },
+            "user_agent": {
+                "original": "elastic-agent/v0.0.0 (linux/amd64) kubernetes/$Format"
+            }
         }
     ]
 }

packages/kubernetes/data_stream/audit_logs/_dev/test/pipeline/test-kube-audit.log

@@ -0,0 +1 @@
+{"category":"kube-audit","operationName":"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read","properties":{"log":"{\"kind\":\"Event\",\"apiVersion\":\"audit.k8s.io/v1\",\"level\":\"Metadata\",\"auditID\":\"ad26f7bc-f1c6-4097-90f1-e0924e12f257\",\"stage\":\"ResponseComplete\",\"requestURI\":\"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kubelet-serving-csr-approver\",\"verb\":\"update\",\"user\":{\"username\":\"aksService\",\"groups\":[\"system:masters\",\"system:authenticated\"]},\"sourceIPs\":[\"172.31.51.172\"],\"userAgent\":\"approver/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election\",\"objectRef\":{\"resource\":\"leases\",\"namespace\":\"kube-system\",\"name\":\"kubelet-serving-csr-approver\",\"uid\":\"14be99f8-ebb7-47b9-a194-43e63d9386af\",\"apiGroup\":\"coordination.k8s.io\",\"apiVersion\":\"v1\",\"resourceVersion\":\"93076016\"},\"responseStatus\":{\"metadata\":{},\"code\":200},\"requestReceivedTimestamp\":\"2025-10-07T16:19:19.643609Z\",\"stageTimestamp\":\"2025-10-07T16:19:19.647762Z\",\"annotations\":{\"authorization.k8s.io/decision\":\"allow\",\"authorization.k8s.io/reason\":\"\"}}","containerID":"a64cba7fefbf5020788dc29d9247157585bbb64826bf7209623ca7bb49b15fe7","stream":"stdout","pod":"kube-apiserver-869d7bb754-kkg69"},"resourceId":"/SUBSCRIPTIONS/ae2861b3-e901-49bd-99f3-660eb5747107/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/TEST-CLUSTER","serviceBuild":"na","time":"2025-10-07T16:19:19.647880072Z"}

packages/kubernetes/data_stream/audit_logs/_dev/test/pipeline/test-kube-audit.log-expected.json

@@ -0,0 +1,95 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2025-10-07T16:19:19.647Z",
+            "client": {
+                "ip": [
+                    "172.31.51.172"
+                ]
+            },
+            "event": {
+                "action": "update",
+                "kind": "event",
+                "original": "{\"category\":\"kube-audit\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\",\\\"apiVersion\\\":\\\"audit.k8s.io/v1\\\",\\\"level\\\":\\\"Metadata\\\",\\\"auditID\\\":\\\"ad26f7bc-f1c6-4097-90f1-e0924e12f257\\\",\\\"stage\\\":\\\"ResponseComplete\\\",\\\"requestURI\\\":\\\"/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kubelet-serving-csr-approver\\\",\\\"verb\\\":\\\"update\\\",\\\"user\\\":{\\\"username\\\":\\\"aksService\\\",\\\"groups\\\":[\\\"system:masters\\\",\\\"system:authenticated\\\"]},\\\"sourceIPs\\\":[\\\"172.31.51.172\\\"],\\\"userAgent\\\":\\\"approver/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election\\\",\\\"objectRef\\\":{\\\"resource\\\":\\\"leases\\\",\\\"namespace\\\":\\\"kube-system\\\",\\\"name\\\":\\\"kubelet-serving-csr-approver\\\",\\\"uid\\\":\\\"14be99f8-ebb7-47b9-a194-43e63d9386af\\\",\\\"apiGroup\\\":\\\"coordination.k8s.io\\\",\\\"apiVersion\\\":\\\"v1\\\",\\\"resourceVersion\\\":\\\"93076016\\\"},\\\"responseStatus\\\":{\\\"metadata\\\":{},\\\"code\\\":200},\\\"requestReceivedTimestamp\\\":\\\"2025-10-07T16:19:19.643609Z\\\",\\\"stageTimestamp\\\":\\\"2025-10-07T16:19:19.647762Z\\\",\\\"annotations\\\":{\\\"authorization.k8s.io/decision\\\":\\\"allow\\\",\\\"authorization.k8s.io/reason\\\":\\\"\\\"}}\",\"containerID\":\"a64cba7fefbf5020788dc29d9247157585bbb64826bf7209623ca7bb49b15fe7\",\"stream\":\"stdout\",\"pod\":\"kube-apiserver-869d7bb754-kkg69\"},\"resourceId\":\"/SUBSCRIPTIONS/ae2861b3-e901-49bd-99f3-660eb5747107/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/TEST-CLUSTER\",\"serviceBuild\":\"na\",\"time\":\"2025-10-07T16:19:19.647880072Z\"}",
+                "outcome": "success"
+            },
+            "kubernetes": {
+                "audit": {
+                    "aks_metadata": {
+                        "category": "kube-audit",
+                        "container_id": "a64cba7fefbf5020788dc29d9247157585bbb64826bf7209623ca7bb49b15fe7",
+                        "operation_name": "Microsoft.ContainerService/managedClusters/diagnosticLogs/Read",
+                        "pod": "kube-apiserver-869d7bb754-kkg69",
+                        "resource_id": "/SUBSCRIPTIONS/ae2861b3-e901-49bd-99f3-660eb5747107/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/TEST-CLUSTER",
+                        "service_build": "na",
+                        "stream": "stdout",
+                        "time": "2025-10-07T16:19:19.647880072Z"
+                    },
+                    "annotations": {
+                        "authorization_k8s_io/decision": "allow"
+                    },
+                    "apiVersion": "audit.k8s.io/v1",
+                    "auditID": "ad26f7bc-f1c6-4097-90f1-e0924e12f257",
+                    "kind": "Event",
+                    "level": "Metadata",
+                    "objectRef": {
+                        "apiGroup": "coordination.k8s.io",
+                        "apiVersion": "v1",
+                        "name": "kubelet-serving-csr-approver",
+                        "namespace": "kube-system",
+                        "resource": "leases",
+                        "resourceVersion": "93076016",
+                        "uid": "14be99f8-ebb7-47b9-a194-43e63d9386af"
+                    },
+                    "requestReceivedTimestamp": "2025-10-07T16:19:19.643609Z",
+                    "requestURI": "/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kubelet-serving-csr-approver",
+                    "responseStatus": {
+                        "code": 200
+                    },
+                    "sourceIPs": [
+                        "172.31.51.172"
+                    ],
+                    "stage": "ResponseComplete",
+                    "stageTimestamp": "2025-10-07T16:19:19.647762Z",
+                    "user": {
+                        "groups": [
+                            "system:masters",
+                            "system:authenticated"
+                        ],
+                        "username": "aksService"
+                    },
+                    "userAgent": "approver/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election",
+                    "verb": "update"
+                }
+            },
+            "orchestrator": {
+                "api_version": "audit.k8s.io/v1",
+                "namespace": "kube-system",
+                "resource": {
+                    "name": "kubelet-serving-csr-approver",
+                    "type": "leases"
+                },
+                "type": "kubernetes"
+            },
+            "related": {
+                "ip": [
+                    "172.31.51.172"
+                ],
+                "user": [
+                    "aksService"
+                ]
+            },
+            "source": {
+                "ip": [
+                    "172.31.51.172"
+                ]
+            },
+            "user": {
+                "name": "aksService"
+            },
+            "user_agent": {
+                "original": "approver/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election"
+            }
+        }
+    ]
+}