Elastic Security Detection Rules

Kubelet API Connection Attempt to Internal IP

Last updated 14 days ago on 2026-04-28
Created 14 days ago on 2026-04-28

About

Detects network connection attempts to the Kubernetes Kubelet API port (10250/10255) on internal IP ranges from Linux hosts. This rule focuses on common request and scripting utilities (curl, wget, python, node, etc.) and executions from world-writable or ephemeral paths (/tmp, /var/tmp, /dev/shm, /var/run), which are frequently abused during container and cluster lateral movement.
Tags
Domain: EndpointDomain: ContainerDomain: KubernetesOS: LinuxUse Case: Threat DetectionTactic: Lateral MovementTactic: DiscoveryData Source: Elastic DefendData Source: Auditd ManagerLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Lateral Movement (TA0008)(external, opens in a new tab or window)

Remote Services (T1021)(external, opens in a new tab or window)

Discovery (TA0007)(external, opens in a new tab or window)

Container and Resource Discovery (T1613)(external, opens in a new tab or window)

False Positive Examples
Legitimate node health checks, diagnostics, or in-cluster agents may access the Kubelet API on port 10250. Validate the calling process, command line, and whether the destination is the local node or another node.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*logs-endpoint.events.network*
Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

Query
text code block:
network where host.os.type == "linux" and event.type == "start" and event.category == "network" and network.direction == "egress" and 
  event.action in ("connected-to", "connection_attempted") and (destination.port == 10250 or destination.port == 10255) and
  cidrmatch(
    destination.ip,
    "127.0.0.0/8",
    "10.0.0.0/8",
    "172.16.0.0/12",
    "192.168.0.0/16",
    "169.254.0.0/16",
    "100.64.0.0/10",
    "::1/128",
    "fc00::/7",
    "fe80::/10"
  ) and
  (
    process.name in ("curl", "wget", "nc", "ncat", "netcat", "socat", "openssl", "perl", "busybox") or 
    process.name like ".*" or process.executable like "/*/.*" or 
    process.name like ("python*", "ruby*", "node*", "java*", "lua*", "apache*", "php*", "nginx", "httpd*", "lighttpd", "caddy", "mongrel_rails", "gunicorn", 
                       "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn", 
                       "daphne", "twistd", "yaws", "webfsd", "flask", "rails", "mongrel", "catalina.sh", "hiawatha", "lswsctrl") or
    process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
  )

Install detection rules in Elastic Security

Detect Kubelet API Connection Attempt to Internal IP in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).