Suspicious access to Kubernetes API with kubelet credentials

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-03-01

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration, Data Detection & Response
ATT&CK Tactic	Exfiltration (TA0010) Collection (TA0009)
ATT&CK Technique	Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
Severity	Low

Description

A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.

Attacker's Goals

Usage of the Kubernetes API server to perform operations inside the cluster.

Investigative actions

Check if there is an active attack against the Kubernetes cluster.

Variations

Suspicious access to Kubernetes API with kubelet credentials from unusual pod

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Attacker's Goals

Usage of the Kubernetes API server to perform operations inside the cluster.

Investigative actions

Check if there is an active attack against the Kubernetes cluster.