How do companies manage SIEM for Kubernetes environments? I am specifically interested in running CIS benchmarks and auditing OS events on the nodes.
I already have a Wazuh cluster and agents rolled out to VMs (EL, Debian, and Windows), and the approach for Kubernetes clusters (ex.: EKS, on-prem, GKE) is quite cloudy to me. I think that the mindset has to shift because for example with VMs, it is normal for users to log in via SSH and change things, but not for Kubernetes worker, master, and etcd nodes where a lot of things work via the API.
I am looking for a strategic approach to dealing with security monitoring in Kubernetes. I know there are a lot of projects in the CNCF ecosystem tagged as "security" and I was considering whether or not a SIEM tool is still relevant.