Kubernetes Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Amazon EKS Kubernetes cluster scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Amazon EKS Kubernetes Pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
GCP Kubernetes cluster pod scan detection		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Kubernetes Abuse of Secret by Unusual Location	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Abuse of Secret by Unusual User Agent	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Abuse of Secret by Unusual User Group	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Abuse of Secret by Unusual User Name	Kubernetes Audit	Container API	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Access Scanning	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Anomalous Inbound Network Activity from Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Inbound Outbound Network IO		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Inbound to Outbound Network IO Ratio		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Outbound Network Activity from Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Anomalous Traffic on Network Edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes AWS detect suspicious kubectl calls	Kubernetes Audit	N/A	Anomaly	Kubernetes Security	2024-10-17
Kubernetes Create or Update Privileged Pod	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Cron Job Creation	Kubernetes Audit	Container Orchestration Job	Anomaly	Kubernetes Security	2024-09-30
Kubernetes DaemonSet Deployed	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Falco Shell Spawned	Kubernetes Falco	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes newly seen TCP edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes newly seen UDP edge		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Nginx Ingress LFI		Exploitation for Credential Access	TTP	Dev Sec Ops	2024-09-30
Kubernetes Nginx Ingress RFI		Exploitation for Credential Access	TTP	Dev Sec Ops	2024-09-30
Kubernetes Node Port Creation	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Pod Created in Default Namespace	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Pod With Host Network Attachment	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Previously Unseen Container Image Name		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Previously Unseen Process		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Process Running From New Path		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Process with Anomalous Resource Utilisation		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Process with Resource Ratio Anomalies		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Scanner Image Pulling		Cloud Service Discovery	TTP	Dev Sec Ops	2024-09-30
Kubernetes Scanning by Unauthenticated IP Address	Kubernetes Audit	Network Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Shell Running on Worker Node		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Shell Running on Worker Node with CPU Activity		User Execution	Anomaly	Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring	2024-10-17
Kubernetes Suspicious Image Pulling	Kubernetes Audit	Cloud Service Discovery	Anomaly	Kubernetes Security	2024-09-30
Kubernetes Unauthorized Access	Kubernetes Audit	User Execution	Anomaly	Kubernetes Security	2024-09-30
AWS EKS Kubernetes cluster sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
GCP Kubernetes cluster scan detection		Cloud Service Discovery	TTP	Kubernetes Scanning Activity	2024-10-17
Kubernetes AWS detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes AWS detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes AWS detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes AWS detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure active service accounts by pod namespace		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes Azure detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes Azure detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes Azure detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes Azure pod scan fingerprint		N/A	Hunting	Kubernetes Scanning Activity	2024-10-17
Kubernetes Azure scan fingerprint		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-10-17
Kubernetes GCP detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes GCP detect RBAC authorizations by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes GCP detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes GCP detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-10-17
Kubernetes GCP detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17
Kubernetes GCP detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-10-17