Kubernetes Pod Created with host Inter Process Communications (IPC) namespace

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

Kubernetes - API

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.
This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

Attacker's Goals

Access data used by other pods that use the host's IPC namespace.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any files in the /dev/shm shared memory location.
  • Inspect for any IPC facilities being used with /usr/bin/ipcs.

Variations

Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the cluster

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.
This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

Attacker's Goals

Access data used by other pods that use the host's IPC namespace.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any files in the /dev/shm shared memory location.
  • Inspect for any IPC facilities being used with /usr/bin/ipcs.


Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time in the namespace

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.
This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

Attacker's Goals

Access data used by other pods that use the host's IPC namespace.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any files in the /dev/shm shared memory location.
  • Inspect for any IPC facilities being used with /usr/bin/ipcs.


Kubernetes Pod Created with host Inter Process Communications (IPC) namespace for the first time by the identity

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity created a Kubernetes pod with the host Inter Process Communications (IPC) namespace.
This may indicate an adversary attempting to access data used by other pods that use the host's IPC namespace.

Attacker's Goals

Access data used by other pods that use the host's IPC namespace.

Investigative actions

  • Check the identity's role designation in the organization.
  • Inspect for any files in the /dev/shm shared memory location.
  • Inspect for any IPC facilities being used with /usr/bin/ipcs.