Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0003 ✕ technique: T1552 ✕

Show ATT&CK heatmap
  • Kubernetes admission controller activity Informational Cloud 4 variations

    A Kubernetes admission controller has been created or modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Persistence (TA0003) Credential Access (TA0006)
    ATT&CK techniques: Valid Accounts (T1078) Unsecured Credentials: Container API (T1552.007)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information. Modify requests to the Kubernetes API sever.
    Investigative actions: Verify whether the identity should use Kubernetes admission controllers. Examine the role of the Kubernetes admission controller and its intended function. Investigate other operations that were performed by the identity within the cluster.

    Variations

    Kubernetes validating admission controller was used in the organization for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the organization for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden

    Kubernetes validating admission controller was used in the cluster for the first time

    Low overridden

    A validating Kubernetes admission controller has been created or modified. overridden

    Kubernetes mutating admission controller was used in the cluster for the first time

    Medium overridden

    A mutating Kubernetes admission controller has been created or modified. overridden