DET0490 Detection Strategy for Container and Resource Discovery

Item	Value
ID	DET0490
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1613 (Container and Resource Discovery)

Analytics

Containers

AN1352

Detection of adversary attempts to enumerate containers, pods, nodes, and related resources within containerized environments. Defenders may observe anomalous API calls to Docker or Kubernetes (e.g., ‘docker ps’, ‘kubectl get pods’, ‘kubectl get nodes’), unusual account activity against the Kubernetes dashboard, or unexpected queries against container metadata endpoints. These events should be correlated with user context and network activity to reveal resource discovery attempts.

Log Sources

Data Component	Name	Channel
Pod Enumeration (DC0037)	kubernetes:apiserver	list or get requests against pods, deployments, or nodes
Container Enumeration (DC0091)	docker:daemon	docker ps, docker inspect, or docker images commands

Mutable Elements

Field	Description
UserAllowList	Defines which service accounts and admin roles are expected to perform discovery actions. Activity by non-allowlisted identities may indicate adversary discovery.
TimeWindow	Specifies correlation period (e.g., 10m) for linking multiple discovery attempts across API and daemon logs.
PodQueryThreshold	Defines threshold for number of pod/node enumeration requests by a single user. Excessive queries may indicate scanning activity.