Potential kubelet impersonation attempt

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-03-01

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration, Data Detection & Response
ATT&CK Tactic	Exfiltration (TA0010) Collection (TA0009)
ATT&CK Technique	Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
Severity	Low

Description

A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server.

Attacker's Goals

Impersonate the node agent to gain control over the cluster.

Investigative actions

Look for additional suspicious activities.
Verify if the exposed credentials were used to access the API server.
Investigate which operations were used against the Kubernetes cluster with the exposed credentials.

Variations

Potential kubelet impersonation attempt by an unusual process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A process accessed both the Kubelet credentials and the Kubernetes CA certificate, indicating an attempt to impersonate the node agent and communicate with the API server.

Attacker's Goals

Impersonate the node agent to gain control over the cluster.

Investigative actions

Look for additional suspicious activities.
Verify if the exposed credentials were used to access the API server.
Investigate which operations were used against the Kubernetes cluster with the exposed credentials.