T1552.007 Container API Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect container API credential access
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: kubectl commands accessing secrets
| where FileName in~ ("kubectl", "kubectl.exe")
| where ProcessCommandLine has_any (
    "get secrets", "get secret", "describe secret", "describe secrets",
    "get sa ", "get serviceaccount", "get configmap",
    "get pods -o", "logs", "exec"
  )
| extend IsSecretAccess = ProcessCommandLine has_any ("secret", "serviceaccount", "sa")
| extend Pattern = "Kubectl_CredAccess"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, IsSecretAccess, Pattern
| union (
    // Pattern 2: Docker API access for credentials
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("docker", "docker.exe")
    | where ProcessCommandLine has_any (
        "inspect", "logs", "env", "exec",
        "cp ", "volume", "/var/run/docker.sock"
      )
    | extend Pattern = "Docker_CredAccess"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Pattern
)
| union (
    // Pattern 3: Direct docker.sock access from processes
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where FolderPath has "docker.sock" or FileName =~ "docker.sock"
    | where InitiatingProcessFileName !in~ ("dockerd", "containerd", "docker-proxy", "docker")
    | extend Pattern = "DockerSock_UnexpectedAccess"
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
             InitiatingProcessFileName, Pattern
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Access

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

DevOps engineers and platform teams legitimately accessing Kubernetes secrets for debugging and application management
CI/CD pipeline service accounts that need to read deployment secrets (Helm, ArgoCD, Flux) during application deployment
Monitoring tools (Prometheus, Grafana agents) that need access to service account tokens for cluster monitoring
Container security scanning tools (Trivy, Falco, Snyk) that inspect containers for vulnerabilities
Kubernetes operators and controllers that legitimately manage secrets as part of their controller pattern

Splunk

spl

index=linux_audit OR index=kubernetes (sourcetype="linux_audit" OR sourcetype="kube:audit")
(
  sourcetype="linux_audit" type=EXECVE
  (a0="kubectl" OR a0="docker")
| eval CommandLine=mvjoin(mvappend(a0,a1,a2,a3,a4,a5,a6), " ")
| eval IsKubectlSecret=if(match(CommandLine, "kubectl.*(get|describe|edit).*(secret|serviceaccount|sa|configmap)"), 1, 0)
| eval IsDockerCred=if(match(CommandLine, "docker.*(inspect|logs|exec|env)") AND match(CommandLine, "(pass|secret|token|credential|key)"), 1, 0)
| eval IsDockerSock=if(match(CommandLine, "/var/run/docker\.sock"), 1, 0)
| eval RiskScore=IsKubectlSecret + IsDockerCred + IsDockerSock
| where RiskScore > 0
| table _time, host, auid, CommandLine, IsKubectlSecret, IsDockerCred, IsDockerSock, RiskScore
)
OR
(
  sourcetype="kube:audit"
  (verb IN ("get", "list", "watch") AND resource IN ("secrets", "serviceaccounts", "configmaps"))
  NOT 'user.username' IN ("system:serviceaccount:kube-system:*", "system:node:*")
| eval Accessor='user.username'
| eval Resource=resource
| eval Namespace='objectRef.namespace'
| eval SecretName='objectRef.name'
| eval AlertType="K8s_SecretAccess"
| table _time, Accessor, Resource, Namespace, SecretName, 'sourceIPs{}'  , AlertType
)
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Kubernetes API Audit Logs linux_audit EXECVE events

Required Sourcetypes

linux_audit kube:audit

False Positives

DevOps engineers accessing Kubernetes secrets for debugging
CI/CD pipeline service accounts reading deployment secrets
Monitoring tools accessing service account tokens
Container security scanning tools inspecting containers
Kubernetes operators managing secrets via controller pattern

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "process" and
    process.name in~ ("kubectl", "kubectl.exe") and
    process.args : ("get secrets", "get secret", "describe secret", "describe secrets", "get sa", "get serviceaccount", "get serviceaccounts", "get configmap", "get configmaps", "logs", "exec")
  )
  or
  (
    event.category == "process" and
    process.name in~ ("docker", "docker.exe") and
    process.args : ("inspect", "logs", "env", "exec", "cp", "volume") and
    process.command_line : ("*secret*", "*token*", "*pass*", "*credential*", "*key*", "*inspect*", "*env*", "*docker.sock*")
  )
  or
  (
    event.category == "file" and
    file.path : "*/var/run/docker.sock" and
    not process.name in~ ("dockerd", "containerd", "docker-proxy", "docker", "moby")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (Linux process and file events) Kubernetes audit logs via Filebeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* auditbeat-*

False Positives

Legitimate DevOps engineers or CI/CD pipelines (e.g., Jenkins, GitLab Runner, ArgoCD) using kubectl to inspect secrets as part of normal deployment workflows
Container security scanning tools (e.g., Trivy, Falco, Anchore) that directly read /var/run/docker.sock for image and container inspection
Kubernetes operators and controllers (e.g., Sealed Secrets controller, external-secrets-operator) that routinely access secrets and service accounts via the Kubernetes API

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  hostname AS Hostname,
  CASE
    WHEN "Command" ILIKE '%kubectl%' AND ("Command" ILIKE '%secret%' OR "Command" ILIKE '%serviceaccount%' OR "Command" ILIKE '%configmap%') THEN 1
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%docker%' AND ("Command" ILIKE '%inspect%' OR "Command" ILIKE '%logs%' OR "Command" ILIKE '%exec%' OR "Command" ILIKE '%env%') THEN 1
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%docker.sock%' THEN 1
    ELSE 0
  END AS RiskScore
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) IN ('Linux OS', 'Universal DSM', 'Kubernetes Audit Log')
  AND (
    (
      "Command" ILIKE '%kubectl%' AND
      (
        "Command" ILIKE '%get secret%' OR
        "Command" ILIKE '%describe secret%' OR
        "Command" ILIKE '%get sa %' OR
        "Command" ILIKE '%get serviceaccount%' OR
        "Command" ILIKE '%get configmap%' OR
        "Command" ILIKE '% logs %' OR
        "Command" ILIKE '% exec %'
      )
    )
    OR (
      "Command" ILIKE '%docker%' AND
      (
        "Command" ILIKE '%inspect%' OR
        "Command" ILIKE '%logs%' OR
        "Command" ILIKE '%exec%' OR
        "Command" ILIKE '% env%'
      ) AND
      (
        "Command" ILIKE '%pass%' OR
        "Command" ILIKE '%secret%' OR
        "Command" ILIKE '%token%' OR
        "Command" ILIKE '%key%' OR
        "Command" ILIKE '%credential%'
      )
    )
    OR "Command" ILIKE '%/var/run/docker.sock%'
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

IBM QRadar SIEM with Linux OS log source Kubernetes Audit Log DSM Universal DSM for auditd EXECVE events

Required Tables

events

False Positives

DevSecOps pipelines with automated credential rotation jobs that legitimately read Kubernetes secrets for injection into deployment manifests
Monitoring agents such as Datadog, New Relic, or Prometheus node-exporters that access Docker socket for container metrics collection
Platform engineering teams running kubectl commands to audit RBAC policies or troubleshoot pod-level service account permissions

Sumo Logic CSE

sql

(_sourceCategory=linux/audit OR _sourceCategory=kubernetes/audit OR _sourceCategory=container/events)
// Parse auditd EXECVE records
| parse regex field=_raw "type=EXECVE.*?a0=\"?(?<a0>[^\" ]+)\"?" nodrop
| parse regex field=_raw "a1=\"?(?<a1>[^\" ]+)\"?" nodrop
| parse regex field=_raw "a2=\"?(?<a2>[^\" ]+)\"?" nodrop
| parse regex field=_raw "a3=\"?(?<a3>[^\" ]+)\"?" nodrop
| parse regex field=_raw "a4=\"?(?<a4>[^\" ]+)\"?" nodrop
| tostring a0, a1, a2, a3, a4
| concat(a0, " ", a1, " ", a2, " ", a3, " ", a4) as CommandLine
// Pattern 1: kubectl secret access
| eval IsKubectlSecret = if(
    matches(CommandLine, ".*kubectl.*(get|describe).*(secret|serviceaccount|sa|configmap).*"),
    1, 0)
// Pattern 2: Docker credential extraction
| eval IsDockerCred = if(
    matches(CommandLine, ".*docker.*(inspect|logs|exec|env|cp).*") AND
    matches(CommandLine, ".*(pass|secret|token|credential|key).*"),
    1, 0)
// Pattern 3: Direct docker.sock access
| eval IsDockerSock = if(
    matches(CommandLine, ".*docker\\.sock.*"),
    1, 0)
// Kubernetes API audit events
| parse field=_raw "\"verb\":\"(?<k8s_verb>[^\"]+)\"" nodrop
| parse field=_raw "\"resource\":\"(?<k8s_resource>[^\"]+)\"" nodrop
| parse field=_raw "\"username\":\"(?<k8s_user>[^\"]+)\"" nodrop
| parse field=_raw "\"namespace\":\"(?<k8s_namespace>[^\"]+)\"" nodrop
| eval IsK8sSecretAPI = if(
    k8s_verb in ("get","list","watch") AND
    k8s_resource in ("secrets","serviceaccounts","configmaps") AND
    !matches(k8s_user, "system:serviceaccount:kube-system:.*") AND
    !matches(k8s_user, "system:node:.*"),
    1, 0)
| eval RiskScore = IsKubectlSecret + IsDockerCred + IsDockerSock + IsK8sSecretAPI
| where RiskScore > 0
| fields _messageTime, _sourceHost, CommandLine, k8s_user, k8s_verb, k8s_resource, k8s_namespace, IsKubectlSecret, IsDockerCred, IsDockerSock, IsK8sSecretAPI, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity medium confidence

Data Sources

Linux auditd logs (EXECVE events) Kubernetes API server audit logs Container runtime logs

Required Tables

_sourceCategory=linux/audit _sourceCategory=kubernetes/audit _sourceCategory=container/events

False Positives

GitOps controllers such as Flux or ArgoCD that continuously sync Kubernetes secrets from a Git source of truth, triggering frequent get/list operations on secrets resources
Cluster autoscalers and admission webhooks that inspect pod specs including mounted secret volumes as part of scheduling decisions
Legitimate sysadmin troubleshooting sessions where engineers run kubectl logs or kubectl exec to debug application crashes that happen to involve credential-related configuration

Google Chronicle / SecOps

yaral

rule container_api_credential_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1552.007 — credential access via Docker and Kubernetes container APIs, including kubectl secret enumeration, Docker CLI credential extraction, docker.sock unauthorized access, and Kubernetes API secret reads."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.007"
    mitre_attack_subtechnique = "Container API"
    reference = "https://attack.mitre.org/techniques/T1552/007/"

  events:
    (
      // Pattern 1: kubectl targeting secrets, service accounts, configmaps
      $kubectl_event.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($kubectl_event.target.process.file.full_path, `(^|/)kubectl$`)
      and (
        re.regex($kubectl_event.target.process.command_line, `kubectl\s+(get|describe|edit|patch)\s+(secret|secrets|sa|serviceaccount|serviceaccounts|configmap|configmaps)`)
        or re.regex($kubectl_event.target.process.command_line, `kubectl\s+exec\s+`)
        or re.regex($kubectl_event.target.process.command_line, `kubectl\s+logs\s+`)
        or re.regex($kubectl_event.target.process.command_line, `kubectl\s+get\s+pods\s+-o`)
      )
    )
    or (
      // Pattern 2: Docker CLI credential extraction
      $docker_event.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($docker_event.target.process.file.full_path, `(^|/)docker$`)
      and re.regex($docker_event.target.process.command_line, `docker\s+(inspect|logs|exec|env|cp|run)`)
      and re.regex($docker_event.target.process.command_line, `(pass|secret|token|credential|key|aws|gcp|azure)`)
    )
    or (
      // Pattern 3: Unauthorized docker.sock access
      $sock_event.metadata.event_type = "FILE_OPEN"
      and $sock_event.target.file.full_path = "/var/run/docker.sock"
      and not re.regex($sock_event.principal.process.file.full_path, `(^|/)(dockerd|containerd|docker-proxy|docker|moby|cri-dockerd)$`)
    )
    or (
      // Pattern 4: Kubernetes API audit — secret enumeration
      $k8s_event.metadata.event_type = "RESOURCE_READ"
      and $k8s_event.metadata.product_name = "Kubernetes"
      and $k8s_event.target.resource.type = "secrets"
      and $k8s_event.network.http.method = "GET"
      and not re.regex($k8s_event.principal.user.userid, `^system:(serviceaccount:kube-system:|node:)`)
    )

  condition:
    $kubectl_event or $docker_event or $sock_event or $k8s_event
}

high severity high confidence

Data Sources

Google Chronicle UDM via GCP audit log ingestion Linux endpoint telemetry forwarded to Chronicle Kubernetes API server audit logs ingested via Chronicle forwarder

Required Tables

UDM events with event_type PROCESS_LAUNCH UDM events with event_type FILE_OPEN UDM events with event_type RESOURCE_READ from Kubernetes product

False Positives

Vault Agent injectors or External Secrets Operators running inside Kubernetes that legitimately GET secrets from the API server to inject them into pod environments
Docker-in-Docker (DinD) CI/CD builds where the inner Docker daemon accesses the outer docker.sock through a bind mount, appearing as unauthorized access
Security operations teams running Peirates, kube-hunter, or similar audit tools against their own clusters as part of authorized red team or vulnerability assessment exercises

CrowdStrike LogScale (CQL)

cql

// T1552.007 — Container API Credential Access
// Pattern 1 & 2: kubectl and docker CLI credential access
(
  #event_simpleName=ProcessRollup2
  | ImageFileName=/(\/|\\)(kubectl|docker)(\.exe)?$/i
  | CommandLine=/(kubectl.*(get|describe)\s+(secret|secrets|sa|serviceaccount|serviceaccounts|configmap)|kubectl\s+exec|kubectl\s+logs|docker.*(inspect|logs|exec|env|cp))/i
  | IsKubectlSecret := if(CommandLine=~/(kubectl.*(get|describe).*(secret|serviceaccount|sa|configmap))/i, "true", "false")
  | IsDockerCred := if(CommandLine=~/(docker.*(inspect|logs|exec|env).*(pass|secret|token|key|credential))/i, "true", "false")
  | IsDockerSock := if(CommandLine=~/\/var\/run\/docker\.sock/i, "true", "false")
  | RiskScore := sum(values=[if(IsKubectlSecret="true", 1, 0), if(IsDockerCred="true", 1, 0), if(IsDockerSock="true", 1, 0)])
  | where RiskScore > 0
  | select(@timestamp, aid, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsKubectlSecret, IsDockerCred, IsDockerSock, RiskScore)
)
| union
(
  // Pattern 3: Unexpected docker.sock access via file events
  #event_simpleName=GenericFileWrite OR #event_simpleName=PeFileWrite
  | TargetFileName=/\/var\/run\/docker\.sock/i
  | not ImageFileName=/(dockerd|containerd|docker-proxy|docker|cri-dockerd)$/i
  | IsDockerSock := "true"
  | RiskScore := 1
  | select(@timestamp, aid, ComputerName, UserName, ImageFileName, TargetFileName, IsDockerSock, RiskScore)
)
| sort(field=@timestamp, order=desc)
| groupBy([ComputerName, UserName, CommandLine], function=[count(as=EventCount), max(RiskScore, as=MaxRisk), min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)])
| sort(field=MaxRisk, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR endpoint telemetry (ProcessRollup2) CrowdStrike Falcon file event telemetry (GenericFileWrite) Falcon Data Replicator (FDR) or Humio LogScale ingest

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=GenericFileWrite #event_simpleName=PeFileWrite

False Positives

Platform SREs running kubectl commands to rotate or inspect secrets during incident response or scheduled maintenance windows, especially in multi-tenant clusters
Container image build pipelines using docker inspect to extract metadata or layer digests as part of image provenance and SBOM generation workflows
Falco or Sysdig agents deployed as DaemonSets that access docker.sock for system call tracing and container inventory, appearing as unexpected socket consumers to the EDR

Container API

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections