From d3383b4b2345360992d60f4fe960eb5a87fce955 Mon Sep 17 00:00:00 2001
From: Stefano <stefano.chierici@sysdig.com>
Date: Thu, 14 Apr 2022 19:54:59 +0200
Subject: [PATCH] Fixed ouput Rules K8s Serviceaccount Created/Deleted
 Signed-off-by: darryk10 <stefano.chierici@sysdig.com> Co-authored-by:
 AlbertoPellitteri <alberto.pellitteri@sysdig.com>

---
 rules/k8s_audit_rules.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/k8s_audit_rules.yaml b/rules/k8s_audit_rules.yaml
index bd74c37b..5de9a7c9 100644
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -512,7 +512,7 @@
 - rule: K8s Serviceaccount Created
   desc: Detect any attempt to create a service account
   condition: (kactivity and kcreate and serviceaccount and response_successful)
-  output: K8s Serviceaccount Created (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  output: K8s Serviceaccount Created (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
   tags: [k8s]
@@ -520,7 +520,7 @@
 - rule: K8s Serviceaccount Deleted
   desc: Detect any attempt to delete a service account
   condition: (kactivity and kdelete and serviceaccount and response_successful)
-  output: K8s Serviceaccount Deleted (user=%ka.user.name user=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
+  output: K8s Serviceaccount Deleted (user=%ka.user.name serviceaccount=%ka.target.name ns=%ka.target.namespace resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
   priority: INFO
   source: k8s_audit
   tags: [k8s]