Access to Kubernetes CA certificate file

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2026-03-10
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules
Detector Tags	Kubernetes - AGENT
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Informational

Description

A process accessed a Kubernetes CA certificate file.

Attacker's Goals

Make API calls against the Kubernetes cluster.

Investigative actions

Look for additional suspicious activities.
Verify if the exposed certificate was used to access the API server.
Investigate which operations were used against the Kubernetes cluster with the exposed certificate.

Variations

Access to Kubernetes CA certificate file by an unusual process

Synopsis

ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Unsecured Credentials: Credentials In Files (T1552.001)
Severity	Low

Description

A process accessed a Kubernetes CA certificate file.

Attacker's Goals

Make API calls against the Kubernetes cluster.

Investigative actions

Look for additional suspicious activities.
Verify if the exposed certificate was used to access the API server.
Investigate which operations were used against the Kubernetes cluster with the exposed certificate.