Add Kubernetes audit evidence to log analysis

[malb200710-dev]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: log-analysis
Skill path: skills/secops/log-analysis/

What Was Wrong

The skill covered Windows, Linux, network, cloud audit, and SaaS log sources, but did not provide Kubernetes audit log guidance. Kubernetes API audit events require preserving fields such as verb, stage, objectRef, responseStatus, userAgent, sourceIPs, and impersonatedUser to avoid losing security meaning.

Fixes #1557.

What This PR Fixes

• Adds Kubernetes audit logs to the cloud audit log source table.
• Adds a Kubernetes Audit Event Evidence section covering critical fields.
• Adds high-signal patterns for pods/exec, pods/attach, pods/portforward, secrets access, RBAC changes, impersonation, denied probing, and privileged pod changes.
• Adds false-positive guards for normal controller/operator reconciliation, denied events, audit policy levels, and provider-specific field names.
• Adds a common pitfall for treating Kubernetes audit events as generic JSON.
• Adds official Kubernetes and MITRE ATT&CK references.
• Bumps log-analysis to v1.0.1.

Validation

• Checked version bump and required Kubernetes markers locally.
• Checked markdown fence balance.
• Checked file remains ASCII-only.
• Cross-checked Kubernetes audit, kube-apiserver audit configuration, user impersonation, and MITRE T1609 references.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.