Security Information and Event Management (SIEM) Integration
Security Information and Event Management (SIEM) Integration
SIEM platforms aggregate security data from multiple sources for correlation and analysis. Kubernetes environments generate massive data volumes that challenge traditional SIEM architectures. Effective integration requires selective forwarding of security-relevant events rather than all logs. This reduces costs while maintaining security visibility.
Event correlation across Kubernetes and traditional infrastructure reveals sophisticated attacks. An attacker might compromise a container, escalate privileges, then pivot to non-containerized systems. Correlating Kubernetes audit logs with system authentication logs exposes this lateral movement. Time synchronization across all systems enables accurate correlation.
# Logstash pipeline for Kubernetes SIEM integration
apiVersion: v1
kind: ConfigMap
metadata:
name: logstash-pipeline
namespace: monitoring
data:
logstash.conf: |
input {
kafka {
bootstrap_servers => "kafka.monitoring:9092"
topics => ["kubernetes-audit", "container-logs", "network-flows"]
codec => "json"
group_id => "siem-consumer"
security_protocol => "SASL_SSL"
sasl_mechanism => "PLAIN"
sasl_jaas_config => "org.apache.kafka.common.security.plain.PlainLoginModule required username='${KAFKA_USER}' password='${KAFKA_PASSWORD}';"
}
}
filter {
# Parse Kubernetes audit logs
if [k8s.audit.log] == "true" {
mutate {
add_field => { "event.category" => "authentication" }
add_field => { "event.type" => "access" }
}
# Extract important fields
mutate {
rename => {
"[requestObject][metadata][name]" => "kubernetes.pod.name"
"[requestObject][metadata][namespace]" => "kubernetes.namespace"
"[responseStatus][code]" => "http.response.status_code"
}
}
# Detect suspicious activities
if [verb] in ["create", "update", "patch"] and [objectRef][resource] == "clusterrolebindings" {
mutate {
add_tag => ["privilege_escalation_attempt"]
add_field => { "event.severity" => "high" }
}
}
}
# Enrich with threat intelligence
if [source.ip] {
memcached {
hosts => ["memcached.monitoring:11211"]
namespace => "threat_intel"
get => {
keys => ["%{source.ip}"]
add_field => {
"threat.indicator.ip" => "%{source.ip}"
"threat.indicator.type" => "ipv4-addr"
}
}
}
}
# Add GeoIP information
if [source.ip] {
geoip {
source => "source.ip"
target => "source.geo"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}
}
output {
# Send to SIEM
elasticsearch {
hosts => ["${SIEM_ELASTICSEARCH_HOSTS}"]
index => "kubernetes-security-%{+YYYY.MM.dd}"
user => "${SIEM_USER}"
password => "${SIEM_PASSWORD}"
ssl => true
ssl_certificate_verification => true
ilm_enabled => true
ilm_rollover_alias => "kubernetes-security"
ilm_pattern => "{now/d}-000001"
ilm_policy => "kubernetes-security-policy"
}
# Send high-severity events to incident response
if [event.severity] == "high" or "critical" in [tags] {
http {
url => "${INCIDENT_WEBHOOK_URL}"
http_method => "post"
format => "json"
mapping => {
"severity" => "%{event.severity}"
"message" => "%{message}"
"source" => "kubernetes"
"cluster" => "%{kubernetes.cluster.name}"
}
}
}
}
Threat intelligence integration enriches security events with external context. IP reputation databases identify known malicious actors. Malware signatures help identify compromised containers. Vulnerability feeds correlate runtime behaviors with known exploits. This enrichment improves detection accuracy and provides investigation context.