Auditbeat - Enrich process events with K8 information

[gingerwizard]

Describe the enhancement:

Support Enrichment of Auditbeat process events with Kubernetes and docker metadata. Currently this isn't supported.

We believe this isn't working because cgroup names are different for docker containers when they are launched by Kubernetes, hence add_docker_metadata doesn't work. This information in turn isn't available for add_kubernetes_metadata. Proposal is adding logic on add_kubernetes_metadata with the k8s pattern for cgroup names.
@exekias to add more details

Describe a specific use case for the enhancement or feature:

Kubernetes and tracking process executions + being able to attribute these to a specific container.

[gingerwizard]

@exekias any plans for this one? Its come up a few times.

[exekias]

Sorry I have been out for a while, didn't have much time to look into this yet. Also pinging @elastic/secops

[nickbabkin]

Doesn't work still, kubernetes support for auditbeat is very limited.

[danmx]

Any updates from Elastic? @jsoriano @exekias

[andrewkroh]

add_process_metadata is getting support for reading container IDs from k8s cgroup names (#15947). I think once that's added you can layer on the add_kubernetes_metadata processor to enrich the process events.

[jsoriano]

I can confirm that with 7.7 will be possible to enrich process events with K8s info, I have opened a PR to add this to the reference manifest: #17431

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.