Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

15 alerts match the current filters. technique: T1610 ✕

Show ATT&CK heatmap
  • A Kubernetes DaemonSet was created Informational Cloud

    A Kubernetes DaemonSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes DaemonSet.
  • A Kubernetes Pod was created with a sidecar container Informational Cloud

    A Kubernetes Pod was created with a sidecar container.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes ReplicaSet was created Informational Cloud

    A Kubernetes ReplicaSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes ReplicaSet.
  • A Kubernetes StatefulSet was created Informational Cloud

    A Kubernetes StatefulSet was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes StatefulSet.
  • A Kubernetes deployment was created Informational Cloud

    A Kubernetes deployment was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • A Kubernetes ephemeral container was created Informational Cloud

    A Kubernetes ephemeral container was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy a container into an environment to facilitate execution.
    Investigative actions: Check which changes were made to the Kubernetes deployment.
  • Kubernetes Pod Created With Sensitive Volume Informational Cloud 3 variations

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod Created With Sensitive Volume for the first time in the cluster

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time in the namespace

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

    Kubernetes Pod Created With Sensitive Volume for the first time by the identity

    Low overridden

    An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystemThis could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges. overridden

  • Kubernetes Pod Created with host Inter Process Communications (IPC) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access data used by other pods that use the host's IPC namespace.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any files in the /dev/shm shared memory location. Inspect for any IPC facilities being used with /usr/bin/ipcs.

    Variations

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

    Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace. overridden

  • Kubernetes Pod created with host process ID (PID) namespace Informational Cloud 3 variations

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: View processes on the host. View the environment variables for each pod on the host. View the file descriptors for each pod on the host. Kill processes on the node.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

    Kubernetes Pod created with host process ID (PID) namespace for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with the host process ID (PID) namespace.This may indicate an adversary attempting to access processes running on the host, which could allow escalating privileges to root. overridden

  • Kubernetes Privileged Pod Creation Informational Cloud 3 variations

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Gain access to the host's filesystem. Gain root access to the host.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any additional suspicious activities inside the Kubernetes Pod.

    Variations

    Kubernetes Privileged Pod Creation for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

    Kubernetes Privileged Pod Creation for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod with a privileged container.This may indicate an adversary attempting to access that host's filesystem or gain root access to the host. overridden

  • Kubernetes pod creation from unknown container image registry Low Cloud 1 variation

    A Kubernetes pod was created with a container image from an unknown registry.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Deploy container with a malicious image to facilitate execution.
    Investigative actions: Check the image registry designation in the organization. Scan the container image for any malicious components.

    Variations

    Kubernetes pod creation from unusual container image registry

    Low overridden

    A Kubernetes pod was created with a container image from an unknown registry. overridden

  • Kubernetes pod creation with host network Informational Cloud 3 variations

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Privilege Escalation (TA0004) Execution (TA0002)
    ATT&CK techniques: Escape to Host (T1611) Deploy Container (T1610)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Access services bound to localhost. Sniff traffic on any interface on the host. Bypass network policy.
    Investigative actions: Check the identity's role designation in the organization. Inspect for any unusual access to localhost services. Inspect for any network sniffing tool being used inside the Kubernetes Pod.

    Variations

    Kubernetes pod creation with host network for the first time in the cluster

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time in the namespace

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

    Kubernetes pod creation with host network for the first time by the identity

    Low overridden

    An identity created a Kubernetes pod attached to the host network.This may indicate an adversary attempting to access services bound to localhost, sniff traffic on any interface on the host, and potentially bypass the network policy. overridden

  • Kubernetes vulnerability scanner activity Medium 1 variation

    A Kubernetes cluster was scanned by a known vulnerability scanner.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Kubernetes vulnerability scanner activity from within a Kubernetes Pod

    Medium overridden

    A Kubernetes cluster was scanned by a known vulnerability scanner from within a container. overridden

  • Kubernetes vulnerability scanning tool usage Medium Cloud 2 variations

    A known vulnerability scanning tool was used within a Kubernetes cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Discovery (TA0007)
    ATT&CK techniques: Deploy Container (T1610) Container and Resource Discovery (T1613)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log Kubernetes Audit Logs
    Detector tags: Kubernetes - API
    Attacker's goals: Usage of known tools and frameworks to exploit Kubernetes clusters.
    Investigative actions: Check if this activity is expected (e.g. penetration testing). Determine which Kubernetes resources were affected. Review additional events for any suspicious activity within the cluster.

    Variations

    Kubernetes vulnerability scanning tool usage within a pod

    Medium overridden

    A known vulnerability scanning tool was used from a pod within a Kubernetes cluster. overridden

    External Kubernetes vulnerability scanning tool usage

    Medium overridden

    A known vulnerability scanning tool was used within a Kubernetes clusteroutside the cloud environment. overridden

  • Suspicious container runtime connection from within a Kubernetes Pod Informational 2 variations

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Container Administration Command (T1609) Deploy Container (T1610)
    Required data: XDR Agent
    Detector tags: Kubernetes - AGENT, Containers
    Attacker's goals: Escape from a container to the host machine and expand the foothold in the network.
    Investigative actions: Change the container socket configuration. Check if the default Docker daemon binding to TCP changed. If so, non-root users may gain access to the container.

    Variations

    Suspicious container runtime connection from within a Kubernetes Pod using the curl client

    Low overridden

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden

    Suspicious container runtime connection from within a Kubernetes Pod using the docker client

    Medium overridden

    A process from within a Kubernetes Pod communicated with the container runtime daemon using the runtime socket.This may indicate an adversary attempting to escape from the Kubernetes Pod to the host. overridden