Our next-gen architecture is built to help you make sense of your ever-growing data Watch a 4-min demo video!

Start Free Trial Request Demo
Back to All Docs

Alcide kAudit Alcide kAudit

Last Updated: Jun. 29, 2023

Coralogix complements Alcide kAudit by creating one pane of glass through which DevSecOps as well as other teams like engineering and CS can view logs from different parts of the infrastructure in a consolidated way. Beyond just visualizing the data, Coralogix gives all these teams powerful analysis tools and helps identify correlations between applications and components events using ML-techniques.

Coralogix can also put logs in the context of the application’s lifecycle in the CI/CD process – allowing you to assess the impact of every change to your infrastructure.

The end result is faster problem identification and time to resolution.

kAudit can send two log categories to Coralogix:

  • Policy Findings: The K8s audit log entries that show violations of the policy which are configured by the Sec and DevOps team.
  • Detections: Suspicious behavior with potential security risks to the K8s cluster which is automatically detected by kAudit.

Configuration

Alcide kAudit findings are streamed to Coralogix enabling them to be analyzed and viewed using the Coralogix UI, queries, and visualizations.

Exporting kAudit findings is available via the kaudit-integrationConfigMap.

URL: https://api.coralogix.com/api/v1/logs
The private key: Input your Coralogix Send-Your-Data API key
Reference: https://coralogix.com/integrations/coralogix-rest-api/

body fields:
applicationName: application
subsystemName: subsystem
logEntries: each log has timestamp, severity, category

Note: the ConfigMap should already exist where kAudit has been deployed.
Edit kaudit-integration-<your cluster name> ConfigMap and add the integrations that you wish.

Example configuration:

apiVersion: v1
kind: ConfigMap
metadata:
name: kaudit-integration-<your cluster name>
namespace: alcide-kaudit
labels:
app: kaudit
app-name: kaudit # kAudit instance
data:
audit-integration: |

- type: detections
target:
target-type: http-api
http-api-uri: 'https://api.coralogix.com/api/v1/logs'
http-api-token: 'Private-key'
stopped: true
- type: selections
target:
target-type: http-api
http-api-uri: 'https://api.coralogix.com/api/v1/logs'
rate-limit: 10
data-filter:
entity-no-match: ^system:|^admin$
rules-match: ^exec|unsafe$
report: details

UI:

In Alcide, select the Integrations tab and go to the Detections Integrations Configuration section, which is used to configure integrations for threat intel logs.

Select HTTP API as your target.

In the URL box, enter https://api.coralogix.com/api/v1/logs

Under Entities Types, select the types that you want to forward threat intel about.

Under Detection Categories, select the categories you wish to forward.

Under Detection Confidence, select your desired levels of confidence. Coralogix recommends selecting at least high and medium.

Optionally, you can create whitelist and blacklist filters on entities using the Entities Matching and Entities Not Matching boxes.

Then, go to the Selected Audit Entries Integration Configuration section, located underneath the previous section. This section is used to configure integrations for audit logs.

Select HTTP API as your target.

In the URL box, enter https://api.coralogix.com/api/v1/logs

To see how you can use Coralogix, visit: https://blog.alcide.io/get-operational-security-insights-and-alerts-for-kubernetes-using-alcide-kaudit-and-coralogix

On this page