This rule monitors if a sub resource has been exec into a pod. A user should not need to exec into a pod. Execing into a pod allows a user to execute any process in a container which is not already running. Impact A user should not need to exec into a pod. Execing into a pod allows a user to execute any process in a container which is not already running. Mitigation Determine if the user should be execing into a running container.

This rule monitors if a sub resource has been attached to a pod. A user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data. Impact A user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data. Mitigation Determine if the user should be attaching to a running container.

Summary This rule identifies responses of the API server where the reason for the error is set to Forbidden, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.

This rule monitors for an attempt of creation or modification of a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. MITRE Tactic: TA0004 MITRE Technique: T1611

This rule monitors for a pod creation with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. MITRE Tactic: TA0004 MITRE Technique: T1611

This rule monitors for an attempt of creation or modification of a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. It gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace. MITRE Tactic: TA0004 MITRE Technique: T1611

This rule monitors for an attempt of creation or modification of a pod using the host IPC namespace. This gives access to data used by any pod that also use the host's IPC namespace. If any process on the host or any processes in a pod uses the host's inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. MITRE Tactic: TA0004 MITRE Technique: T1611

This rule monitors for an attempt to creation or modification of a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster. MITRE Tactic: TA0003 MITRE Technique: T1133

This rule monitors when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster. MITRE Tactic: TA0007 MITRE Technique: T1613

This rule monitors for a pod creation with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.

This rule monitors for creation of a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.

This rule monitors and alerts in every 3 minutes for more than usual 400 error code received with a threshold of 5 which might be an indication of brute force attack.

This rule monitors when any action is permitted with status_code:[100 TO 299]) for an unauthenticated user. The /healthz endpoint is commonly accessed unauthenticated and it is excluded in the query filter.

This rule monitory when a ClusterRoleBinding object is created to bind a Kubernetes user to the cluster-admin. This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.

Detect when more than usual 400 error code received per namespace.

Detect if a new namespace has been added in the kubernetes

Detect when a delete action is performed in Kube-System namespace.

Detect when a delete action is performed on the Node.

This rule detects if there are no logs in the last 4 hours for Kubernetes in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562