Kubernetes environment enumeration activity

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2025-04-07

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	5 Days
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	Kubernetes - AGENT
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Container and Resource Discovery (T1613)
Severity	Informational

Description

Multiple resources within a Kubernetes cluster were enumerated.
This may indicate an adversary attempting to map the Kubernetes environment and discover resources that may assist to perform additional attacks within the environment.

Attacker's Goals

Map the Kubernetes cluster environment and detect potential resources to abuse.

Investigative actions

Identify which Kubernetes resources were discovered.
Investigate whether affected resources were used to extract sensitive information.

Variations

Kubernetes environment enumeration activity from a pod

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Container and Resource Discovery (T1613)
Severity	Medium

Description

Attacker's Goals

Map the Kubernetes cluster environment and detect potential resources to abuse.

Investigative actions

Identify which Kubernetes resources were discovered.
Investigate whether affected resources were used to extract sensitive information.

Suspicious Kubernetes environment enumeration activity

Synopsis

ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Container and Resource Discovery (T1613)
Severity	Low

Description

Attacker's Goals

Map the Kubernetes cluster environment and detect potential resources to abuse.

Investigative actions

Identify which Kubernetes resources were discovered.
Investigate whether affected resources were used to extract sensitive information.