Kubernetes Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Amazon EKS Kubernetes cluster scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-05-15
Amazon EKS Kubernetes Pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-05-29
GCP Kubernetes cluster pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-05-18
Kubernetes Abuse of Secret by Unusual Location	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-05-11
Kubernetes Abuse of Secret by Unusual User Agent	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-05-22
Kubernetes Abuse of Secret by Unusual User Group	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-05-25
Kubernetes Abuse of Secret by Unusual User Name	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-05-27
Kubernetes Access Scanning	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-05-12
Kubernetes Anomalous Inbound Network Activity from Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-17
Kubernetes Anomalous Inbound Outbound Network IO		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Anomalous Inbound to Outbound Network IO Ratio		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Anomalous Outbound Network Activity from Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-25
Kubernetes Anomalous Traffic on Network Edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-24
Kubernetes AWS detect suspicious kubectl calls	Kubernetes Audit	N/A	Anomaly	Kubernetes Security	2024-05-18
Kubernetes Create or Update Privileged Pod	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-05-28
Kubernetes Cron Job Creation	Kubernetes Audit	Container Orchestration Job	Anomaly	Kubernetes Security	2024-05-28
Kubernetes DaemonSet Deployed	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-05-16
Kubernetes Falco Shell Spawned	Kubernetes Falco	User Execution	Anomaly	Kubernetes Security	2024-05-25
Kubernetes newly seen TCP edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-15
Kubernetes newly seen UDP edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-05-27
Kubernetes Nginx Ingress LFI		Exploitation for Credential Access	TTP	Dev Sec Ops	2024-05-19
Kubernetes Nginx Ingress RFI		Exploitation for Credential Access	TTP	Dev Sec Ops	2024-05-19
Kubernetes Node Port Creation	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-05-12
Kubernetes Pod Created in Default Namespace	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-05-12
Kubernetes Pod With Host Network Attachment	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-05-19
Kubernetes Previously Unseen Container Image Name		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Previously Unseen Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Process Running From New Path		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Process with Anomalous Resource Utilisation		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Process with Resource Ratio Anomalies		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Scanner Image Pulling		Cloud Service Discovery	TTP	Dev Sec Ops	2024-05-20
Kubernetes Scanning by Unauthenticated IP Address	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-05-10
Kubernetes Shell Running on Worker Node		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Shell Running on Worker Node with CPU Activity		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-09-24
Kubernetes Suspicious Image Pulling	Kubernetes Audit	Cloud Service Discovery	Anomaly	Kubernetes Security	2024-05-13
Kubernetes Unauthorized Access	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-05-21
AWS EKS Kubernetes cluster sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
GCP Kubernetes cluster scan detection		Cloud Service Discovery	TTP	Kubernetes Scanning Activity	2024-08-15
Kubernetes AWS detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-08-16
Kubernetes AWS detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes AWS detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-09-24
Kubernetes AWS detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-16
Kubernetes Azure active service accounts by pod namespace		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes Azure detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes Azure detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes Azure detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-09-24
Kubernetes Azure detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes Azure detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes Azure pod scan fingerprint		N/A	Hunting	Kubernetes Scanning Activity	2024-08-15
Kubernetes Azure scan fingerprint		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-08-15
Kubernetes GCP detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-08-16
Kubernetes GCP detect RBAC authorizations by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-08-15
Kubernetes GCP detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-15
Kubernetes GCP detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-09-24
Kubernetes GCP detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-16
Kubernetes GCP detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-08-16