Detection correlates anomalous Docker or Kubernetes API requests with access to logs, secrets, or service accounts. Observes unauthorized use of docker logs, kubectl get secrets, or direct API calls to Kubernetes API server endpoints. Identifies behavioral patterns where adversaries escalate from basic pod/container interaction to privileged API calls exposing sensitive credential material.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | docker:api | docker logs access or container inspect commands from non-administrative users |
| User Account Authentication (DC0002) | kubernetes:apiserver | get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts |
| Process Creation (DC0032) | kubernetes:apiserver | exec into pod followed by secret retrieval via API |
| Application Log Content (DC0038) | kubernetes:orchestrator | Access to orchestrator logs containing credentials (Docker/Kubernetes logs) |
| Field | Description |
|---|---|
| UserContext | Tune to exclude known orchestrator admin service accounts or CI/CD pipelines that legitimately access secrets |
| NamespaceScope | Restrict detection to sensitive namespaces (e.g., kube-system, production apps) |
| TimeWindow | Adjust correlation timing between pod execution and subsequent API secret retrieval |
| SourceIP | Filter based on allowed internal API calls vs anomalous external or cross-cluster access |