User Attached to a Pod

Set up the kubernetes integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user attaches to a pod.

Strategy

This rule monitors when a user attaches (@objectRef.subresource:attach) to a pod (@objectRef.resource:pods).

A user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.

Triage and response

Determine if the user should be attaching to a running container.

Changelog

  • 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
  • 17 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
PREVIEWING: esther/docs-9518-update-example-control-sensitive-log-data