IR-014cloudv1.0.0

Container and Kubernetes Security Incident Response

⚠️ high⚠️ critical
Est. Time60m
📋 Steps10 steps
🔧 Tools7 required
🔗 Integrations5 platforms
📊 Avg Resolution90m
★ View on GitHub

🎯 MITRE ATT&CK

🔧 Tools Required

kubernetes clicontainer runtimesiemcloud consolefalcotrivythreat intelligence platform

⚡ Triggers

falco_container_escape_alertkubernetes_audit_privileged_podresource_spike_cpu_memoryunexpected_network_policy_changekubernetes_rbac_anomalycontainer_scanning_critical_findingsiem_k8s_audit_anomalycryptominer_detected

🔌 Integrations

req

falco

Runtime security for container escape, privilege escalation, and anomalous syscall detection

opt

aws eks

EKS control plane audit logs, CloudTrail for Kubernetes API server events

opt

gke security command center

GKE threat detection and container threat analysis

opt

datadog

Container performance monitoring for resource hijacking and crypto mining detection

opt

trivy

Container image vulnerability scanning and SBOM analysis

Click each step to expand the full procedure, automation hints, and expected outputs.

Identify the scope of the incident: which pods, namespaces, and nodes are affected. Review the triggering alert for details — Falco rule name, pod name, namespace, node, and container image. For cryptomining: identify pods with abnormal CPU/memory consumption. For container escapes: identify the pod that triggered the syscall anomaly and the node it runs on. For RBAC abuse: identify the ServiceAccount and the API calls made. Determine if the incident is limited to a single pod or has spread across the cluster.

⚡ Automation Hint

kubectl get pods --all-namespaces -o wide | grep -v Running kubectl top pods --all-namespaces | sort --reverse --key 3 --numeric | head -20 kubectl get events --all-namespaces --sort-by='.lastTimestamp' | tail -50 kubectl describe pod <pod-name> -n <namespace> EKS audit logs: aws cloudwatch filter-log-events --log-group-name /aws/eks/<cluster>/cluster --filter-pattern '{ $.verb = "create" && $.objectRef.resource = "pods" }'

📤 Outputs

affected_podsaffected_nodesaffected_namespacescontainer_images_involved