Kubernetes Pod Created With Sensitive Volume

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

Kubernetes - API

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystem
This could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

Attacker's Goals

  • Gain access to the host's filesystem.
  • Gain root access to the host.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any additional suspicious activities inside the Kubernetes Pod.

Variations

Kubernetes Pod Created With Sensitive Volume for the first time in the cluster

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystem
This could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

Attacker's Goals

  • Gain access to the host's filesystem.
  • Gain root access to the host.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any additional suspicious activities inside the Kubernetes Pod.


Kubernetes Pod Created With Sensitive Volume for the first time in the namespace

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystem
This could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

Attacker's Goals

  • Gain access to the host's filesystem.
  • Gain root access to the host.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any additional suspicious activities inside the Kubernetes Pod.


Kubernetes Pod Created With Sensitive Volume for the first time by the identity

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity created a Kubernetes Pod with a sensitive volume, allowing the Pod to have read or write permissions on the host's filesystem
This could suggest an effort by an adversary to access sensitive files on the host and employ techniques for escalating privileges.

Attacker's Goals

  • Gain access to the host's filesystem.
  • Gain root access to the host.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any additional suspicious activities inside the Kubernetes Pod.