Service Account Namespace Read Detected via Defend for Containers

About

Tags

Data Source: Elastic Defend for ContainersDomain: ContainerOS: LinuxUse Case: Threat DetectionTactic: DiscoveryLanguage: eql

Severity

low

Risk Score

21

MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(external, opens in a new tab or window)

↳ System Information Discovery (T1082)(external, opens in a new tab or window)

False Positive Examples

There is a potential for false positives if the reading of the service account namespace file is used for legitimate purposes, such as debugging or troubleshooting. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-cloud_defend.file*

Related Integrations

cloud_defend(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗file where host.os.type == "linux" and event.type == "change" and event.action == "open" and
file.path == "/var/run/secrets/kubernetes.io/serviceaccount/namespace" and
process.interactive == true and container.id like "*"