From 7adf0b1fb1942ae09ee22965d5094653a754db9f Mon Sep 17 00:00:00 2001
From: Patrick <pbareiss@splunk.com>
Date: Thu, 7 Dec 2023 14:06:09 +0100
Subject: [PATCH] Kubernetes Pull Image

---
 .../kubernetes_audit_pull_image.json                  |  3 +++
 .../kubernetes_audit_pull_image.yml                   | 11 +++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
 create mode 100644 datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml

diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
new file mode 100644
index 00000000..a8555dad
--- /dev/null
+++ b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8f409ace084c2caa5bb3644512a91100e957c1cf4271a1026d83710740ed5b6b
+size 3103
diff --git a/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml
new file mode 100644
index 00000000..32cbbffc
--- /dev/null
+++ b/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.yml
@@ -0,0 +1,11 @@
+author: Patrick Bareiss
+id: 38e470fb-3c73-42c5-a5e6-47838df5e62e
+date: '2023-12-07'
+description: Kubernetes audit logs which contains pulling a image.
+environment: attack_range
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1526/kubernetes_audit_pull_image/kubernetes_audit_pull_image.json
+sourcetypes:
+- aws:cloudwatchlogs
+references:
+- https://attack.mitre.org/techniques/T1526