Detection Strategy for Container and Resource Discovery

Technique Detected: Container and Resource Discovery | T1613

ID: DET0490

Domains: Enterprise

Analytics: AN1352

Version: 1.0

Created: 21 October 2025

Last Modified: 21 October 2025

Version Permalink

Live Version

Analytics

Containers

AN1352

Detection of adversary attempts to enumerate containers, pods, nodes, and related resources within containerized environments. Defenders may observe anomalous API calls to Docker or Kubernetes (e.g., 'docker ps', 'kubectl get pods', 'kubectl get nodes'), unusual account activity against the Kubernetes dashboard, or unexpected queries against container metadata endpoints. These events should be correlated with user context and network activity to reveal resource discovery attempts.

Log Sources

Data Component	Name	Channel
Pod Enumeration (DC0037)	kubernetes:apiserver	list or get requests against pods, deployments, or nodes
Container Enumeration (DC0091)	docker:daemon	docker ps, docker inspect, or docker images commands

Mutable Elements

Field	Description
UserAllowList	Defines which service accounts and admin roles are expected to perform discovery actions. Activity by non-allowlisted identities may indicate adversary discovery.
TimeWindow	Specifies correlation period (e.g., 10m) for linking multiple discovery attempts across API and daemon logs.
PodQueryThreshold	Defines threshold for number of pod/node enumeration requests by a single user. Excessive queries may indicate scanning activity.