Deprecated VM alerts regarding suspicious activity related to a Kubernetes cluster


The following table lists the alerts that were deprecated:

Alert nameDescriptionTacticsSeverity
Docker build operation detected on a Kubernetes node
Machine logs indicate a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection.Defense EvasionLow
Suspicious request to Kubernetes API
Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container.LateralMovementMedium
SSH server is running inside a container
Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached.ExecutionMedium

These alerts are used to notify a user about suspicious activity connected to a Kubernetes cluster. The alerts will be replaced with matching alerts that are part of the Microsoft Defender for Cloud Container alerts (K8S.NODE_ImageBuildOnNodeK8S.NODE_ KubernetesAPI and K8S.NODE_ ContainerSSH) which will provide improved fidelity and comprehensive context to investigate and act on the alerts.



Démarrez une conversation

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *