Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

10 alerts match the current filters. tactic: TA0007 ✕ technique: T1613 ✕

Show ATT&CK heatmap
  • A Kubernetes service account has enumerated its permissions Informational Cloud 2 variations

    A Kubernetes service account has enumerated its permissions using the self subject review API.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Discover permissions to the Kubernetes cluster.
    Investigative actions: Determine the scope of the Kubernetes service account permissions. Review additional activity of the Kubernetes service account.

    Variations

    Suspicious permission enumeration by a Kubernetes service account

    Low overridden

    A Kubernetes service account has enumerated its permissions using the self subject review API. overridden

    A Kubernetes service account attempted to enumerate its permissions

    Low overridden

    A Kubernetes service account has attempted to enumerate its permissions using the self subject review API. overridden

  • Kubelet server communication from a pod Informational 1 variation

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Privilege Escalation (TA0004) Discovery (TA0007)
    ATT&CK techniques: Escape to Host (T1611) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubelet server to attempt a container breakout or escalate privileges.
    Investigative actions: Examine the process on the pod to understand its purpose.

    Variations

    Kubelet server communication from a pod by a first seen process

    Low overridden

    The Kubelet server was accessed from within a pod, which may indicate an attempt to escape container boundaries or escalate privileges. overridden

  • Kubernetes API server communication from within a pod Informational 2 variations

    The Kubernetes API server was accessed from within a pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual Kubernetes API server communication from within a pod performed by curl process

    Medium overridden

    The Kubernetes API server was accessed from within a pod. overridden

    Unusual Kubernetes API server communication from within a pod

    Low overridden

    The Kubernetes API server was accessed from within a pod. overridden

  • Kubernetes enumeration activity Informational Cloud 1 variation

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Map the cluster environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious Kubernetes enumeration activity

    Informational overridden

    An identity attempted to discover available resources within a cluster.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

  • Kubernetes environment enumeration activity Informational 2 variations

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Map the Kubernetes cluster environment and detect potential resources to abuse.
    Investigative actions: Identify which Kubernetes resources were discovered. Investigate whether affected resources were used to extract sensitive information.

    Variations

    Kubernetes environment enumeration activity from a pod

    Medium overridden

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

    Suspicious Kubernetes environment enumeration activity

    Low overridden

    Multiple resources within a Kubernetes cluster were enumerated.This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment. overridden

  • Kubernetes version disclosure Informational

    The Kubernetes API server was inquired about the Kubernetes version by a process from within a pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    7 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes API server to disclose information about the Kubernetes environment.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.
  • Kubernetes vulnerability scanner activity Medium 1 variation

    A Kubernetes cluster was scanned by a known vulnerability scanner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Kubernetes vulnerability scanner activity from within a Kubernetes Pod

    Medium overridden

    A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden

  • Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations

    A known vulnerability scanning tool was used within a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.

    Variations

    Kubernetes vulnerability scanning tool usage within a pod

    Medium overridden

    A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden

    External Kubernetes vulnerability scanning tool usage

    Medium overridden

    A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden

  • Suspicious container reconnaissance activity in a Kubernetes pod Informational 2 variations

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Remote System Discovery (T1018) System Information Discovery (T1082) System Network Configuration Discovery (T1016) System Service Discovery (T1007) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Collect information about the host, network and user configuration for lateral movement and privilege escalation.
    Investigative actions: Verify if the script or process initiating the discovery commands is benign. Verify that this isn't sanctioned IT activity. Look for other hosts executing similar commands.

    Variations

    Suspicious container reconnaissance activity in a Kubernetes pod

    Medium overridden

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden

    Suspicious container reconnaissance activity in a Kubernetes pod

    Low overridden

    A process performed multiple consecutive container discovery commands from within a Kubernetes Pod. overridden

  • Unusual Kubernetes dashboard communication from a pod Low 1 variation

    The Kubernetes dashboard was accessed by an unusual pod within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of the Kubernetes dashboard to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Unusual Kubernetes dashboard communication from a new pod

    Informational overridden

    The Kubernetes dashboard was accessed by an unusual pod within the environment. overridden