title: Aqua Security¶
About¶
Unify cloud security to detect, prioritize, and reduce risk.
Product Details¶
Vendor URL: Aqua Security
Product Type: Cloud Security
Product Tier: Tier II
Integration Method: webhook
Integration URL: Generic Webhook - Cyderes Documentation
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: AQUA_SECURITY
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| result | additional.fields |
| podnamespace | additional.fields |
| namespace | additional.fields |
| k8s_cluster | additional.fields |
| Static value | metadata.vendor_name |
| Static value | metadata.product_name |
| action | metadata.description |
| type | metadata.product_event_type |
| user | principal.user.userid |
| account_id | principal.user.product_object_id |
| description | security_result.description |
| control | security_result.description |
| adjective | security_result.summary |
| reason | security_result.summary |
| category | security_result.category_details |
| repository | target.resource.name |
| resource_name | target.resource.name |
| registry | target.resource.product_object_id |
| resource_type | target.resource.type |
| imagehash | target.file.sha256 |
| action | security_result.action |
| policy_name | security_result.rule_name |
| rule | security_result.rule_name |
| policy_id | security_result.rule_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| action = update | RESOURCE_WRITTEN |
| action = Create New Respository | RESOURCE_CREATION |
| all others | GENERIC_EVENT |
Log Sample¶
{
"type": "Orchestrator",
"category": "kubernetes.enforcer",
"control": "SELinux custom options set",
"podnamespace": "pod_namespace",
"reason": "There are failed controls in kubernetes assurance policy Default",
"result": 3,
"resource_name": "pod_name-test-mgmt-aaaaaa-postgres-bbbb-dfc75d5fc-xnr8",
"audit_type": "kap",
"hostgroup": "default kube enforcer group",
"resource": "pod",
"resource_type": "pod",
"namespace": "pod_namespace",
"rule": "Default",
"user": "system:serviceaccount:pod_namespace:aaa-bb",
"action": "update",
"compliance": "non-compliant",
"create_time": 1695303851,
"eval_msg": "pod pod_name-test-mgmt-aaaaaa-postgres-bbbb-dfc75d5fc-xnr8 in pod_namespace namespace should not set spec.securityContext.seLinuxOptions, spec.containers[*].securityContext.seLinuxOptions or spec.initContainers[*].securityContext.seLinuxOptions.",
"k8s_cluster": "aaa-bb-non-prod"
}
## Sample Parsing
```text
additional.fields["namespace"] = "pod_namespace"
additional.fields["podnamespace"] = "pod_namespace"
additional.fields["k8s_cluster"] = "aaa-bb-non-prod"
additional.fields["result"] = "3"
metadata.description = "update"
metadata.event_timestamp.seconds = 1695303869
metadata.event_timestamp.nanos = 978711000
metadata.event_type = "RESOURCE_WRITTEN"
metadata.product_event_type = "Orchestrator"
metadata.product_name = "Security"
metadata.vendor_name = "Aqua"
principal.user.userid = "system:serviceaccount:pod_namespace:aaa-bb"
security_result.category_details = "kubernetes.enforcer"
security_result.description = "SELinux custom options set"
security_result.rule_name = "Default"
security_result.summary = "There are failed controls in kubernetes assurance policy Default"
target.resource.name = "pod_name-test-mgmt-aaaaaa-postgres-bbbb-dfc75d5fc-xnr8r"
target.resource.type = "pod"
Rules¶
Coming Soon