Access to sensitive host files from within a Kubernetes pod

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-10

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags	Kubernetes - AGENT
ATT&CK Tactic	Privilege Escalation (TA0004)
ATT&CK Technique	Escape to Host (T1611)
Severity	Informational

A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.

Access to the host filesystem.

Look for additional suspicious activities.
Verify if the exposed files were used for malicious activity.
Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.

Access to the host filesystem.

Look for additional suspicious activities.
Verify if the exposed files were used for malicious activity.
Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

A process accessed sensitive host files inside a Kubernetes pod, indicating a potential container escape or privilege escalation attempt.

Access to the host filesystem.

Look for additional suspicious activities.
Verify if the exposed files were used for malicious activity.
Investigate which operations were used against the Kubernetes cluster with the exposed credentials.