Pod

A single unit of shared resources within a cluster, comprised of one or more containers[1][2]

ID: DS0014
Platform: Containers
Collection Layer: Container
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021

Data Components

Pod: Pod Creation

Initial construction of a new pod (ex: kubectl apply|run)

Pod: Pod Creation

Initial construction of a new pod (ex: kubectl apply|run)

Domain ID Name Detects
Enterprise T1610 Deploy Container

Monitor for newly constructed pods that may deploy a container into an environment to facilitate execution or evade defenses.

Pod: Pod Enumeration

An extracted list of pods within a cluster (ex: kubectl get pods)

Pod: Pod Enumeration

An extracted list of pods within a cluster (ex: kubectl get pods)

Domain ID Name Detects
Enterprise T1613 Container and Resource Discovery

Monitor logs for actions that could be taken to gather information about pods, including the use of discovery API calls by new or unexpected users. Monitor account activity logs to see actions performed and activity associated with the Kubernetes dashboard and other web applications.

Pod: Pod Metadata

Contextual data about a pod and activity around it such as name, ID, namespace, or status

Pod: Pod Metadata

Contextual data about a pod and activity around it such as name, ID, namespace, or status

Pod: Pod Modification

Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)

Pod: Pod Modification

Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit)

Domain ID Name Detects
Enterprise T1610 Deploy Container

Monitor for changes made to pods for unexpected modifications to settings and/or control data that may deploy a container into an environment to facilitate execution or evade defenses.

References