Initial construction of a new pod (ex: kubectl apply|run)
Initial construction of a new pod (ex: kubectl apply|run)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1610 | Deploy Container |
Monitor for newly constructed pods that may deploy a container into an environment to facilitate execution or evade defenses. |
An extracted list of pods within a cluster (ex: kubectl get pods)
An extracted list of pods within a cluster (ex: kubectl get pods)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1613 | Container and Resource Discovery |
Monitor logs for actions that could be taken to gather information about pods, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications. |
Contextual data about a pod and activity around it such as name, ID, namespace, or status
Contextual data about a pod and activity around it such as name, ID, namespace, or status
Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)
Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1610 | Deploy Container |
Monitor for changes made to pods for unexpected modifications to settings and/or control data that may deploy a container into an environment to facilitate execution or evade defenses. |