Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0004 ✕ technique: T1609 ✕
Show ATT&CK heatmapSuspicious process execution in a privileged container Informational 1 variation
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.Variations
Suspicious process execution in a new privileged container
Informational overridden
A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden