Kubernetes Detections

Name Data Source Technique Type Analytic Story Date
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes Abuse of Secret by Unusual Location Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Agent Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Group Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Name Kubernetes Audit Container API Anomaly Kubernetes Security 2024-09-30
Kubernetes Access Scanning Kubernetes Audit Network Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Anomalous Inbound Network Activity from Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound Outbound Network IO User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound to Outbound Network IO Ratio User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Outbound Network Activity from Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Traffic on Network Edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes AWS detect suspicious kubectl calls Kubernetes Audit N/A Anomaly Kubernetes Security 2024-10-17
Kubernetes Create or Update Privileged Pod Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Cron Job Creation Kubernetes Audit Container Orchestration Job Anomaly Kubernetes Security 2024-09-30
Kubernetes DaemonSet Deployed Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Falco Shell Spawned Kubernetes Falco User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes newly seen TCP edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes newly seen UDP edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP Dev Sec Ops 2024-09-30
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP Dev Sec Ops 2024-09-30
Kubernetes Node Port Creation Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod Created in Default Namespace Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod With Host Network Attachment Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Previously Unseen Container Image Name User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Previously Unseen Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process Running From New Path User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Anomalous Resource Utilisation User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Resource Ratio Anomalies User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP Dev Sec Ops 2024-09-30
Kubernetes Scanning by Unauthenticated IP Address Kubernetes Audit Network Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Shell Running on Worker Node User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node with CPU Activity User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Suspicious Image Pulling Kubernetes Audit Cloud Service Discovery Anomaly Kubernetes Security 2024-09-30
Kubernetes Unauthorized Access Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
AWS EKS Kubernetes cluster sensitive object access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
GCP Kubernetes cluster scan detection Cloud Service Discovery TTP Kubernetes Scanning Activity 2024-10-17
Kubernetes AWS detect most active service accounts by pod N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect RBAC authorization by account N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect sensitive role access N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect service accounts forbidden failure access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure active service accounts by pod namespace N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect RBAC authorization by account N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect sensitive object access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect sensitive role access N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect service accounts forbidden failure access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect suspicious kubectl calls N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure pod scan fingerprint N/A Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes Azure scan fingerprint Cloud Service Discovery Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes GCP detect most active service accounts by pod N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect RBAC authorizations by account N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect sensitive object access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect sensitive role access N/A Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect service accounts forbidden failure access N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect suspicious kubectl calls N/A Hunting Kubernetes Sensitive Object Access Activity 2024-10-17