Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0004 ✕ technique: T1613 ✕

Show ATT&CK heatmap
  • Kubelet server communication from a pod Informational 1 variation

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)
    ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.
    Investigative actions: Examine the process on the pod to understand its purpose.

    Variations

    Kubelet server communication from a pod by a first seen process

    Low overridden

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden