Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
Kubernetes - API |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A Kubernetes admission controller has been created or modified.
Attacker's Goals
- Intercept the requests to the Kubernetes API sever, records secrets, and other sensitive information.
- Modify requests to the Kubernetes API sever.
Investigative actions
- Verify whether the identity should use Kubernetes admission controllers.
- Examine the role of the Kubernetes admission controller and its intended function.
- Investigate other operations that were performed by the identity within the cluster.
Variations
Kubernetes validating admission controller was used in the organization for the first timeKubernetes mutating admission controller was used in the organization for the first time
Kubernetes validating admission controller was used in the cluster for the first time
Kubernetes mutating admission controller was used in the cluster for the first time