New Kubernetes privileged pod created

Set up the kubernetes integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.

Strategy

This rule monitors when a pod (@objectRef.resource:pods) is created (@http.method:create) and the privileged security context (@requestObject.spec.containers.securityContext.privileged) is true.

Triage & Response

Determine if the pod should be privileged.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 16 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: esther/docs-9518-update-example-control-sensitive-log-data