Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
|
Detector Tags |
Kubernetes - AGENT |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
A Kubernetes pod has accessed the access token of another pod.
This could indicate potential unauthorized access or a security breach within the cluster.
Attacker's Goals
Gain access to the Kubernetes environment.
Investigative actions
- Look for additional suspicious activities.
- Verify if the exposed credentials were used to access the API server.
- Investigate which operations were used against the Kubernetes cluster with the exposed credentials.
Variations
Suspicious Kubernetes pod token access by an unusual podSuspicious Kubernetes pod token access by an unusual process