Analytics Alerts
Browse the Cortex analytics alert reference.
15 alerts match the current filters. tactic: TA0002 ✕ technique: T1610 ✕
Show ATT&CK heatmapA Kubernetes DaemonSet was created Informational Cloud
A Kubernetes DaemonSet was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes DaemonSet.A Kubernetes Pod was created with a sidecar container Informational Cloud
A Kubernetes Pod was created with a sidecar container.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes deployment.A Kubernetes ReplicaSet was created Informational Cloud
A Kubernetes ReplicaSet was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes ReplicaSet.A Kubernetes StatefulSet was created Informational Cloud
A Kubernetes StatefulSet was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes StatefulSet.A Kubernetes deployment was created Informational Cloud
A Kubernetes deployment was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes deployment.A Kubernetes ephemeral container was created Informational Cloud
A Kubernetes ephemeral container was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy a container into an environment to facilitate execution.Investigative actions: Check which changes were made to the Kubernetes deployment.Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod Created With Sensitive Volume for the first time in the cluster
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time in the namespace
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created With Sensitive Volume for the first time by the identity
Low overridden
An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access data used by other pods that use the host's IPC namespace.Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.Variations
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden
Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity
Low overridden
An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden
Kubernetes Privileged Pod Creation Informational Cloud 3 variations
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Gain access to the host's filesystem. Gain root access to the host.Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.Variations
Kubernetes Privileged Pod Creation for the first time in the cluster
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time in the namespace
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes Privileged Pod Creation for the first time by the identity
Low overridden
An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden
Kubernetes pod creation from unknown container image registry Low Cloud 1 variation
A Kubernetes pod was created with a container image from an unknown registry.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Deploy container with a malicious image to facilitate execution.Investigative actions: Check the image registry designation in the organization. Scan the container image for any malicious components.Variations
Kubernetes pod creation from unusual container image registry
Low overridden
A Kubernetes pod was created with a container image from an unknown registry. overridden
Kubernetes pod creation with host network Informational Cloud 3 variations
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.Variations
Kubernetes pod creation with host network for the first time in the cluster
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time in the namespace
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes pod creation with host network for the first time by the identity
Low overridden
An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden
Kubernetes vulnerability scanner activity Medium 1 variation
A Kubernetes cluster was scanned by a known vulnerability scanner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Kubernetes vulnerability scanner activity from within a Kubernetes Pod
Medium overridden
A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden
Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations
A known vulnerability scanning tool was used within a Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.Variations
Kubernetes vulnerability scanning tool usage within a pod
Medium overridden
A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden
External Kubernetes vulnerability scanning tool usage
Medium overridden
A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden
Suspicious container runtime connection from within a Kubernetes Pod Informational 2 variations
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Container Administration Command (T1609) Deploy Container (T1610)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Escape from a container to the host machine and expand the foothold in the network.Investigative actions: Change the container socket configuration. Check if the default Docker daemon binding to TCP changed. If so, non-root users may gain access to the container.Variations
Suspicious container runtime connection from within a Kubernetes Pod using the curl client
Low overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden
Suspicious container runtime connection from within a Kubernetes Pod using the docker client
Medium overridden
A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden