Kubernetes API server communication from within a pod

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-03-01
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

Kubernetes - AGENT

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Container and Resource Discovery (T1613)

Severity

Informational

Description

The Kubernetes API server was accessed from within a pod.

Attacker's Goals

Usage of the Kubernetes API server to perform operations inside the cluster.

Investigative actions

Check if there is an active attack against the Kubernetes cluster.

Variations

Unusual Kubernetes API server communication from within a pod performed by curl process

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Container and Resource Discovery (T1613)

Severity

Medium

Description

The Kubernetes API server was accessed from within a pod.

Attacker's Goals

Usage of the Kubernetes API server to perform operations inside the cluster.

Investigative actions

Check if there is an active attack against the Kubernetes cluster.


Unusual Kubernetes API server communication from within a pod

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Container and Resource Discovery (T1613)

Severity

Low

Description

The Kubernetes API server was accessed from within a pod.

Attacker's Goals

Usage of the Kubernetes API server to perform operations inside the cluster.

Investigative actions

Check if there is an active attack against the Kubernetes cluster.