From b827f0976f8f7ad20f8ab407557cde2ce768f113 Mon Sep 17 00:00:00 2001
From: Kyle Derevyanik <107499494+sfc-gh-kderevyanik@users.noreply.github.com>
Date: Wed, 6 Dec 2023 10:50:42 -0600
Subject: [PATCH] K8s Schema Typos Fix (#992)

---
 ...ly_permissive_linux_capabilities_query.yml |  2 +-
 ...te_or_modify_host_path_vol_mount_query.yml |  2 +-
 ..._service_type_node_port_deployed_query.yml | 22 +++++++++----------
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml
index 8e6d296bc..4a5a62cf6 100644
--- a/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml
+++ b/queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml
@@ -15,7 +15,7 @@ Query: |-
                  WHERE
                  verb IN ('create', 'update')
                  AND objectRef:resource = 'pods'
-                 AND ARRAY_INTERSECTION(REQUEST_OBJECT:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present
+                 AND ARRAY_INTERSECTION(requestObject:spec:containers[0]:securityContext:capabilities:add, ARRAY_CONSTRUCT('BPF','NET_ADMIN','SYS_ADMIN')) != [] --linux capabilities array intersect to identify if any are present
                  AND requestObject:spec:containers[0]:securityContext is not null
                  AND p_occurs_since('30 minutes')
                  --insert allow-list for pods that are expected to have privileged linux capabilities, for example a observability agent
diff --git a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml
index ed9c73a4a..169159041 100644
--- a/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml
+++ b/queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml
@@ -14,7 +14,7 @@ Query: >
                  WHERE
                  verb IN ('create', 'update', 'patch')
                  AND objectRef:resource = 'pods'
-                 AND request_object:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')                  
+                 AND requestObject:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')                  
                  AND p_occurs_since('30 minutes')
                  --insert allow-list for expected workloads that require a sensitive mount
                  LIMIT 10
diff --git a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml
index 405eda796..ecff02932 100644
--- a/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml
+++ b/queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml
@@ -7,21 +7,21 @@ Description: >
   This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.
 Query: >
                  SELECT *,
-                        OBJECT_REF:name as service,
-                        OBJECT_REF:namespace as namespace,
-                        OBJECT_REF:resource as resource_type,                        
+                        objectRef:name as service,
+                        objectRef:namespace as namespace,
+                        objectRef:resource as resource_type,                        
                         COALESCE(impersonated_user, USER:username) as src_user,
-                        USER_AGENT,
-                        RESPONSE_OBJECT:spec:externalTrafficPolicy as external_traffic_policy,
-                        RESPONSE_OBJECT:spec:internalTrafficPolicy as internal_traffic_policy,
-                        RESPONSE_OBJECT:spec:clusterIP as cluster_ip_address,
+                        userAgent,
+                        responseObject:spec:externalTrafficPolicy as external_traffic_policy,
+                        responseObject:spec:internalTrafficPolicy as internal_traffic_policy,
+                        responseObject:spec:clusterIP as cluster_ip_address,
                         VALUE:port as port, --port where traffic gets forwarded to in the pod 
                         VALUE:protocol as protocol, --protocol the service uses
                         VALUE:nodePort as node_port, --which port acts as the nodeport on all the nodes 
-                        REQUEST_OBJECT:spec:type as type,
-                        IFF(REQUEST_OBJECT:spec:status:loadBalancer is null, 'No LB Present', 
-                        REQUEST_OBJECT:spec:status:loadBalancer) as load_balancer,
-                        RESPONSE_STATUS:code as response_status
+                        requestObject:spec:type as type,
+                        IFF(requestObject:spec:status:loadBalancer is null, 'No LB Present', 
+                        requestObject:spec:status:loadBalancer) as load_balancer,
+                        responseStatus:code as response_status
                         FROM panther_logs.public.kubernetes_control_plane, lateral flatten(response_object:spec:ports)
                         WHERE
                         objectRef:resource = 'services'