Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0004 ✕ technique: T1609 ✕

Show ATT&CK heatmap
  • Suspicious process execution in a privileged container Informational 1 variation

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Privilege Escalation (TA0004)
    ATT&CK techniques: Container Administration Command (T1609) Escape to Host (T1611)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Perform lateral movement to new hosts to expand the foothold within a network and gain higher privileges.
    Investigative actions: Investigate the processes being spawned on the host for malicious activities. Correlate the command run from the host and understand which software initiated it.

    Variations

    Suspicious process execution in a new privileged container

    Informational overridden

    A process was executed in a privileged Kubernetes Pod for the first time in the past 30 days. overridden