Pods Kubernetes-pods

21 operations, identified by Operation in the audit log.

Operation	Description
get-pods
list-pods
watch-pods
create-pods	Pod created (execution, privilege escalation via hostPID/hostNetwork/hostIPC, privileged container).
update-pods
patch-pods
delete-pods
deletecollection-pods
get-pods-attach
create-pods-attach	Container attach (kubectl attach; interactive session).
update-pods-ephemeralcontainers	Ephemeral container added to a running pod.
patch-pods-ephemeralcontainers	Ephemeral container patched.
get-pods-exec
create-pods-exec	Remote command execution in a container (kubectl exec issues create on pods/exec subresource).
get-pods-log
get-pods-portforward
create-pods-portforward	Port forwarding from a pod (kubectl port-forward).
get-pods-proxy
get-pods-status
update-pods-status
any-pods	Synthetic aggregation for rules that filter the pods resource with no specific verb. Not a distinct audit record; hosts rule listings that key on objectRef.resource alone.

get-pods: get pods

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

list-pods: list pods

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

watch-pods: watch pods

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

create-pods: create pods

Resource: Kubernetes-pods

Description

Pod created (execution, privilege escalation via hostPID/hostNetwork/hostIPC, privileged container).

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.objectRef.resource`	eq	`pods`	9 rules	elastic
`kubernetes.audit.annotations.authorization_k8s_io/decision`	eq	`allow`	8 rules	elastic
`kubernetes.audit.verb`	eq	`create`	4 rules	elastic
`kubernetes.audit.verb`	in	`create`	5 rules	elastic
`kubernetes.audit.verb`	in	`patch`	5 rules	elastic
`kubernetes.audit.verb`	in	`update`	5 rules	elastic
`objectRef.resource`	eq	`pods`	3 rules	sigma, splunk
`verb`	eq	`create`	3 rules	panther, sigma, splunk
`kubernetes.audit.level`	in	`Request`	1 rule	elastic
`kubernetes.audit.level`	in	`RequestResponse`	1 rule	elastic
`kubernetes.audit.level`	in	`ResponseComplete`	1 rule	elastic
`kubernetes.audit.objectRef.namespace`	eq	`kube-system`	1 rule	elastic
`kubernetes.audit.user.username`	in	`system:anonymous`	1 rule	elastic
`kubernetes.audit.user.username`	in	`system:unauthenticated`	1 rule	elastic
`kubernetes.audit.user.username`	is_null		1 rule	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

Container With A hostPath Mount Created source low: Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
Creation Of Pod In System Namespace source medium: Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
Privileged Container Deployed source low: Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields

Elastic #

Kubernetes Container Created with Excessive Linux Capabilities source medium: This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.
Kubernetes Privileged Pod Created source medium: This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.
Kubernetes Suspicious Assignment of Controller Service Account source medium: This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.

Show 6 more (9 total)

Kubernetes Pod Creation Using Common Debug or Base Images source low: Detects successful Kubernetes pod creation requests using commonly abused base and debugging container images such as BusyBox, Alpine, Ubuntu, Netshoot, and network multitool variants. These images are frequently used by attackers to deploy short-lived or interactive "throwaway" containers for reconnaissance, payload staging, or command execution due to their small footprint or built-in tooling.
Kubernetes Anonymous User Create/Update/Patch Pods Request source medium: This rule detects attempts to create, update, or patch pods by an anonymous user. An anonymous user is a user that is not authenticated or authorized to access the Kubernetes API server. Creating, updating, or patching pods is a common activity for attackers to gain access to the cluster and execute commands.↳ also matches update-pods: update pods, patch-pods: patch pods
Kubernetes Pod Created With HostIPC source medium: This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.↳ also matches update-pods: update pods, patch-pods: patch pods
Kubernetes Pod Created With HostNetwork source medium: This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.↳ also matches update-pods: update pods, patch-pods: patch pods
Kubernetes Pod Created With HostPID source medium: This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.↳ also matches update-pods: update pods, patch-pods: patch pods
Kubernetes Pod Created with a Sensitive hostPath Volume source medium: This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.↳ also matches update-pods: update pods, patch-pods: patch pods

update-pods: update pods

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.objectRef.resource`	eq	`pods`	5 rules	elastic
`kubernetes.audit.verb`	in	`create`	5 rules	elastic
`kubernetes.audit.verb`	in	`patch`	5 rules	elastic
`kubernetes.audit.verb`	in	`update`	5 rules	elastic
`kubernetes.audit.annotations.authorization_k8s_io/decision`	eq	`allow`	4 rules	elastic
`kubernetes.audit.level`	in	`Request`	1 rule	elastic
`kubernetes.audit.level`	in	`RequestResponse`	1 rule	elastic
`kubernetes.audit.level`	in	`ResponseComplete`	1 rule	elastic
`kubernetes.audit.user.username`	in	`system:anonymous`	1 rule	elastic
`kubernetes.audit.user.username`	in	`system:unauthenticated`	1 rule	elastic
`kubernetes.audit.user.username`	is_null		1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Anonymous User Create/Update/Patch Pods Request source medium: This rule detects attempts to create, update, or patch pods by an anonymous user. An anonymous user is a user that is not authenticated or authorized to access the Kubernetes API server. Creating, updating, or patching pods is a common activity for attackers to gain access to the cluster and execute commands.↳ also matches create-pods: create pods, patch-pods: patch pods
Kubernetes Pod Created With HostIPC source medium: This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.↳ also matches create-pods: create pods, patch-pods: patch pods
Kubernetes Pod Created With HostNetwork source medium: This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.↳ also matches create-pods: create pods, patch-pods: patch pods

Show 2 more (5 total)

Kubernetes Pod Created With HostPID source medium: This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.↳ also matches create-pods: create pods, patch-pods: patch pods
Kubernetes Pod Created with a Sensitive hostPath Volume source medium: This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.↳ also matches create-pods: create pods, patch-pods: patch pods

patch-pods: patch pods

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.objectRef.resource`	eq	`pods`	5 rules	elastic
`kubernetes.audit.verb`	in	`create`	5 rules	elastic
`kubernetes.audit.verb`	in	`patch`	5 rules	elastic
`kubernetes.audit.verb`	in	`update`	5 rules	elastic
`kubernetes.audit.annotations.authorization_k8s_io/decision`	eq	`allow`	4 rules	elastic
`kubernetes.audit.level`	in	`Request`	1 rule	elastic
`kubernetes.audit.level`	in	`RequestResponse`	1 rule	elastic
`kubernetes.audit.level`	in	`ResponseComplete`	1 rule	elastic
`kubernetes.audit.user.username`	in	`system:anonymous`	1 rule	elastic
`kubernetes.audit.user.username`	in	`system:unauthenticated`	1 rule	elastic
`kubernetes.audit.user.username`	is_null		1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Anonymous User Create/Update/Patch Pods Request source medium: This rule detects attempts to create, update, or patch pods by an anonymous user. An anonymous user is a user that is not authenticated or authorized to access the Kubernetes API server. Creating, updating, or patching pods is a common activity for attackers to gain access to the cluster and execute commands.↳ also matches create-pods: create pods, update-pods: update pods
Kubernetes Pod Created With HostIPC source medium: This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.↳ also matches create-pods: create pods, update-pods: update pods
Kubernetes Pod Created With HostNetwork source medium: This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.↳ also matches create-pods: create pods, update-pods: update pods

Show 2 more (5 total)

Kubernetes Pod Created With HostPID source medium: This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.↳ also matches create-pods: create pods, update-pods: update pods
Kubernetes Pod Created with a Sensitive hostPath Volume source medium: This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.↳ also matches create-pods: create pods, update-pods: update pods

delete-pods: delete pods

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

deletecollection-pods: deletecollection pods

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

get-pods-attach: get pods/attach

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

create-pods-attach: create pods/attach

Resource: Kubernetes-pods

Description

Container attach (kubectl attach; interactive session).

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

update-pods-ephemeralcontainers: update pods/ephemeralcontainers

Resource: Kubernetes-pods

Description

Ephemeral container added to a running pod.

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.objectRef.resource`	eq	`pods`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Ephemeral Container Added to Pod source medium: Detects allowed updates to the pods/ephemeralcontainers subresource by a non-system identity. Ephemeral containers are commonly used for debugging (kubectl debug) but can also be abused to inject tooling into a running pod, access mounted secrets, and execute commands in the target pod context. Attackers with sufficient RBAC may use ephemeral containers to escalate privileges, move laterally, or establish persistence without deploying a new workload.↳ also matches patch-pods-ephemeralcontainers: patch pods/ephemeralcontainers

patch-pods-ephemeralcontainers: patch pods/ephemeralcontainers

Resource: Kubernetes-pods

Description

Ephemeral container patched.

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.objectRef.resource`	eq	`pods`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Ephemeral Container Added to Pod source medium: Detects allowed updates to the pods/ephemeralcontainers subresource by a non-system identity. Ephemeral containers are commonly used for debugging (kubectl debug) but can also be abused to inject tooling into a running pod, access mounted secrets, and execute commands in the target pod context. Attackers with sufficient RBAC may use ephemeral containers to escalate privileges, move laterally, or establish persistence without deploying a new workload.↳ also matches update-pods-ephemeralcontainers: update pods/ephemeralcontainers

get-pods-exec: get pods/exec

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.annotations.authorization_k8s_io/decision`	eq	`allow`	1 rule	elastic
`kubernetes.audit.objectRef.subresource`	eq	`exec`	1 rule	elastic
`kubernetes.audit.stage`	in	`ResponseComplete`	1 rule	elastic
`kubernetes.audit.stage`	in	`ResponseStarted`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes User Exec into Pod source medium: This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.↳ also matches create-pods-exec: create pods/exec

create-pods-exec: create pods/exec

Resource: Kubernetes-pods

Description

Remote command execution in a container (kubectl exec issues create on pods/exec subresource).

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.annotations.authorization_k8s_io/decision`	eq	`allow`	1 rule	elastic
`kubernetes.audit.objectRef.subresource`	eq	`exec`	1 rule	elastic
`kubernetes.audit.stage`	in	`ResponseComplete`	1 rule	elastic
`kubernetes.audit.stage`	in	`ResponseStarted`	1 rule	elastic
`objectRef.resource`	eq	`pods`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Potential Remote Command Execution In Pod Container source medium: Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.

Elastic #

Kubernetes User Exec into Pod source medium: This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.↳ also matches get-pods-exec: get pods/exec

get-pods-log: get pods/log

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

get-pods-portforward: get pods/portforward

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

create-pods-portforward: create pods/portforward

Resource: Kubernetes-pods

Description

Port forwarding from a pod (kubectl port-forward).

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

get-pods-proxy: get pods/proxy

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

get-pods-status: get pods/status

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

update-pods-status: update pods/status

Resource: Kubernetes-pods

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

any-pods: any verb on pods (synthetic aggregation)

Resource: Kubernetes-pods

Description

Synthetic aggregation for rules that filter the pods resource with no specific verb. Not a distinct audit record; hosts rule listings that key on objectRef.resource alone.

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Esql.executed_command`	is_not_null		4 rules	elastic
`kubernetes.audit.objectRef.subresource`	eq	`exec`	4 rules	elastic
`kubernetes.audit.requestURI`	contains	`command=`	4 rules	elastic
`EventType`	in	`get`	1 rule	elastic
`EventType`	in	`list`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`clusterrolebindings`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`namespaces`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`nodes`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`pods`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`rolebindings`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`serviceaccounts`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Pod Exec Cloud Instance Metadata Access source high: Detects Kubernetes pod exec sessions whose decoded command line references cloud instance metadata endpoints or equivalent hostnames and paths. Workloads that reach the link-local metadata IP, AWS IMDS paths, GCP computeMetadata, Azure IMDS token routes, or encoded variants are often attempting to harvest role credentials, tokens, or instance attributes from the underlying node or hypervisor boundary. That behavior is high risk in multi-tenant and regulated environments because it can expose short-lived cloud credentials to code running inside a container. The rule classifies a coarse cloud target label and whether the string looks like credential retrieval versus lighter reconnaissance.
Kubernetes Pod Exec Sensitive File or Credential Path Access source high: Detects Kubernetes pod exec sessions whose decoded command line references high-value host or in-cluster paths and material types: mounted service account or platform tokens, kubelet and control-plane configuration areas, host identity stores, root dot-directories for cloud and kubeconfig material, common private-key and keystore extensions, process environment dumps, and configuration filenames suggestive of embedded secrets. The intent is to catch interactive or scripted access that often precedes lateral movement, privilege escalation, or credential theft from the node or workload boundary. A narrow exclusion ignores benign reads of resolv.conf. The query also labels an access_type bucket to speed triage without altering the detection predicates you validated.
Kubernetes Multi-Resource Discovery source medium: Adversaries who land credentials in a cluster—or abuse an over-privileged token—often map the environment before exfiltration or privilege escalation. A practical first pass is to learn where workloads run, how the cluster is partitioned, and what RBAC exists at namespace vs cluster scope. Rapid get/list traffic across distinct API resource kinds that answer those questions (namespaces, workloads, roles, cluster-wide roles) is a common setup and orientation pattern for both interactive attackers and automated recon scripts. It is less typical for steady-state controllers, which usually touch a narrow set of resources repeatedly. This rule highlights that cross-resource burst from a single client fingerprint within a one-minute bucket so analysts can separate routine automation from potential discovery and permission reconnaissance ahead of follow-on actions.

Show 2 more (5 total)

Kubernetes Pod Exec with Curl or Wget to HTTPS source high: Detects pod or attach exec API calls where the decoded request query implies curl or wget fetching an https URL. Attackers with permission to exec into workloads often run one-liners to stage tooling, pull scripts or binaries, or exfiltrate data over HTTPS—activity that should be rare compared to shells, debuggers, or expected health checks. The rule decodes the audit requestURI, reconstructs a readable command string from repeated command parameters, and applies noise filters for common cluster health and OIDC/JWKS endpoints so benign automation is less likely to alert.
Kubernetes Pod Exec Potential Reverse Shell source high: Flags exec into a pod when the URL-decoded command payload resembles reverse-shell or bind-shell one-liners invocation patterns. Legitimate debug sessions sometimes use similar building blocks, but together these patterns align with post-exploitation interactive access and command-and-control.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)