Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0002 ✕ technique: T1613 ✕

Show ATT&CK heatmap
  • Kubernetes vulnerability scanner activity Medium 1 variation

    A Kubernetes cluster was scanned by a known vulnerability scanner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Kubernetes vulnerability scanner activity from within a Kubernetes Pod

    Medium overridden

    A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden

  • Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations

    A known vulnerability scanning tool was used within a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.

    Variations

    Kubernetes vulnerability scanning tool usage within a pod

    Medium overridden

    A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden

    External Kubernetes vulnerability scanning tool usage

    Medium overridden

    A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden