Analytics Alerts
Browse the Cortex analytics alert reference.
10 alerts match the current filters. tactic: TA0007 ✕ technique: T1613 ✕
Show ATT&CK heatmapA Kubernetes service account has enumerated its permissions Informational Cloud 2 variations
A Kubernetes service account has enumerated its permissions using the self subject review API.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Discover permissions to the Kubernetes cluster.Investigative actions: Determine the scope of the Kubernetes service account permissions. Review additional activity of the Kubernetes service account.Variations
Suspicious permission enumeration by a Kubernetes service account
Low overridden
A Kubernetes service account has enumerated its permissions using the self subject review API. overridden
A Kubernetes service account attempted to enumerate its permissions
Low overridden
A Kubernetes service account has attempted to enumerate its permissions using the self subject review API. overridden
Kubelet server communication from a pod Informational 1 variation
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.Investigative actions: Examine the process on the pod to understand its purpose.Variations
Kubelet server communication from a pod by a first seen process
Low overridden
The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden
Kubernetes API server communication from within a pod Informational 2 variations
The Kubernetes API server was accessed from within a pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual Kubernetes API server communication from within a pod performed by curl process
Medium overridden
The Kubernetes API server was accessed from within a pod. overridden
Unusual Kubernetes API server communication from within a pod
Low overridden
The Kubernetes API server was accessed from within a pod. overridden
Kubernetes enumeration activity Informational Cloud 1 variation
An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Map the cluster environment and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Suspicious Kubernetes enumeration activity
Informational overridden
An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Kubernetes environment enumeration activity Informational 2 variations
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Map the Kubernetes cluster environment and detect potential resources to abuse.Investigative actions: Identify which Kubernetes resources were discovered. Investigate whether affected resources were used to extract sensitive information.Variations
Kubernetes environment enumeration activity from a pod
Medium overridden
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Suspicious Kubernetes environment enumeration activity
Low overridden
Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden
Kubernetes version disclosure Informational
The Kubernetes API server was inquired about the Kubernetes version by a process from within a pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 7 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes API server to disclose information about the Kubernetes environment.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Kubernetes vulnerability scanner activity Medium 1 variation
A Kubernetes cluster was scanned by a known vulnerability scanner.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Kubernetes vulnerability scanner activity from within a Kubernetes Pod
Medium overridden
A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden
Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations
A known vulnerability scanning tool was used within a Kubernetes cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Discovery (TA0007)ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit LogsDetector tags: Kubernetes - APIAttacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.Variations
Kubernetes vulnerability scanning tool usage within a pod
Medium overridden
A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden
External Kubernetes vulnerability scanning tool usage
Medium overridden
A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden
Suspicious container reconnaissance activity in a Kubernetes pod Informational 2 variations
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007) Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENT, ContainersAttacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.Variations
Suspicious container reconnaissance activity in a Kubernetes pod
Medium overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
Suspicious container reconnaissance activity in a Kubernetes pod
Low overridden
A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden
Unusual Kubernetes dashboard communication from a pod Low 1 variation
The Kubernetes dashboard was accessed by an unusual pod within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Container and Resource Discovery (T1613)Required data: XDR AgentDetector tags: Kubernetes - AGENTAttacker's goals: Usage of the Kubernetes dashboard to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Unusual Kubernetes dashboard communication from a new pod
Informational overridden
The Kubernetes dashboard was accessed by an unusual pod within the environment. overridden