
Summary
Detects creation of GKE Pods in Google Kubernetes Engine where containers are granted elevated Linux capabilities via securityContext.add capabilities. The rule targets GCP audit logs (data_stream.dataset:gcp.audit) for event.action io.k8s.core.v1.pods.create and matches gcp.audit.request.spec.containers.securityContext.capabilities.add with high-risk capabilities (e.g., BPF, DAC_READ_SEARCH, NET_ADMIN, SYS_ADMIN, SYS_BOOT, SYS_MODULE, SYS_PTRACE, SYS_RAWIO, SYSLOG). It excludes resources under ReplicaSet, DaemonSet, or StatefulSet ownership. This pattern indicates potential container escape to the host or privilege escalation. MITRE ATT&CK mappings: T1611 (Escape to Host) and T1610 (Deploy Container). Severity: medium; risk_score: 47. The rule assumes a GKE audit log integration (Fleet) to function and is intended for cloud/Kubernetes/container contexts.
Categories
- Cloud
- Kubernetes
- Containers
Data Sources
- Cloud Service
- Container
ATT&CK Techniques
- T1611
- T1610
Created: 2026-06-30