You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
QueryName: Pod Created or Modified Using the Host PID Namespace
Enabled: false
Tags:
- Optional
Description: >
This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host’s processes. This can offer a powerful escape hatch to the underlying host.
Query: >
SELECT *,
IFF(sourceIPs[0] IS NOT null, sourceIPs[0], 'N/A') as X_FORWARDED_FOR_IP,
IFF(sourceIPs[1] IS NOT null, sourceIPs[1], 'N/A') as X_Real_IP,
IFF(sourceIPs[2] IS NOT null, sourceIPs[2], 'N/A') as Remote_Address_IP
FROM panther_logs.public.amazon_eks_audit
WHERE
verb IN ('create', 'update', 'patch')
AND objectRef:resource = 'pods'
AND requestObject:spec:hostPID = True
AND p_occurs_since('30 minutes')
--insert allow-list for pods expected to use the Host PID namespace