Skip to main content

Hello! 

When a deployment is created in Kubernetes, it is possible to add a field as part of the securityContext named runAsUserIf the value in this field is 0, that means the deployment is run as root, which is not good at all from a security perspective. So, we would like to detect when this happens using Chronicle.

In the documentation (https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-audit-logs), it is possible to see an entry that ends with runAsUser, so that means the parser is able to do so. Also in the code it is shown:

But when I create the deployment and SecOps process it, the field is not display. What could I do?  

 

Hi Keso.


You can create a Parser extension to map this field correctly. If you share your raw log, log type/parser used, and a bit more information on what you're trying to do, I can help you write the parser extension.

Hi @keso,

Not seen a raw log containing this, maybe it's not a string within the raw log, and needs converting to a string and will successfully output. If you open a support ticket they should be able to look into this!

Kind Regards,

Ayman

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.