Which SIEM platforms have a T1613 detection rule?

df00tech provides T1613 (Container and Resource Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Container and Resource Discovery (T1613)?

Detecting Container and Resource Discovery requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1613 detection?

The T1613 detection is rated medium severity with medium confidence.

What are common false positives for T1613?

Common false positives for T1613 include: Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting; CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows; Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data.

T1613: Container and Resource Discovery — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let ContainerDiscoveryCommands = dynamic(["docker ps", "docker inspect", "docker images", "docker info", "docker stats", "docker network ls", "docker volume ls", "docker container ls"]);
let KubeDiscoveryPatterns = dynamic(["get pods", "get nodes", "get namespaces", "get services", "get deployments", "get secrets", "get configmaps", "describe pod", "describe node", "cluster-info", "get all", "get sa", "get serviceaccount"]);
let CrictlCommands = dynamic(["crictl ps", "crictl pods", "crictl images", "crictl info"]);
let SuspiciousParents = dynamic(["bash", "sh", "dash", "zsh", "python", "python3", "perl", "ruby", "nc", "ncat", "socat"]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
    // Docker enumeration commands
    (ProcessCommandLine has "docker" and (
        ProcessCommandLine has "ps" or
        ProcessCommandLine has "inspect" or
        ProcessCommandLine has "images" or
        ProcessCommandLine has "info" or
        ProcessCommandLine has "stats" or
        ProcessCommandLine has "network ls" or
        ProcessCommandLine has "volume ls" or
        ProcessCommandLine has "container ls"
    ))
    or
    // kubectl enumeration
    (FileName =~ "kubectl" and (
        ProcessCommandLine has "get pods" or
        ProcessCommandLine has "get nodes" or
        ProcessCommandLine has "get namespaces" or
        ProcessCommandLine has "get services" or
        ProcessCommandLine has "get deployments" or
        ProcessCommandLine has "get secrets" or
        ProcessCommandLine has "get configmaps" or
        ProcessCommandLine has "get all" or
        ProcessCommandLine has "cluster-info" or
        ProcessCommandLine has "describe" or
        ProcessCommandLine has "get sa" or
        ProcessCommandLine has "get serviceaccount"
    ))
    or
    // crictl (containerd CLI) enumeration
    (FileName =~ "crictl" and (
        ProcessCommandLine has "ps" or
        ProcessCommandLine has "pods" or
        ProcessCommandLine has "images" or
        ProcessCommandLine has "info"
    ))
    or
    // ctr (containerd) enumeration
    (FileName =~ "ctr" and (
        ProcessCommandLine has "containers list" or
        ProcessCommandLine has "images list" or
        ProcessCommandLine has "tasks list"
    ))
    or
    // Peirates and similar offensive tools
    (FileName =~ "peirates")
    or
    // curl/wget against Docker socket or Kubernetes API
    ((FileName in~ ("curl", "wget")) and (
        ProcessCommandLine has "/var/run/docker.sock" or
        ProcessCommandLine has ":8080/api" or
        ProcessCommandLine has ":6443/api" or
        ProcessCommandLine has ":10250" or
        ProcessCommandLine has "/api/v1/pods" or
        ProcessCommandLine has "/api/v1/nodes" or
        ProcessCommandLine has "/api/v1/namespaces"
    ))
)
| extend RiskScore = case(
    InitiatingProcessFileName in~ (SuspiciousParents), 80,
    AccountName !in~ ("root", "system") and FileName =~ "kubectl", 60,
    ProcessCommandLine has "get secrets", 90,
    ProcessCommandLine has "/var/run/docker.sock", 85,
    ProcessCommandLine has ":10250", 80,
    40
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RiskScore
| where RiskScore >= 40
| order by RiskScore desc, TimeGenerated desc

Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover containers, pods, nodes, namespaces, services, secrets, and cluster configuration. Also detects curl/wget queries against the Docker Unix socket or Kubernetes API endpoints (including the kubelet API on port 10250). Assigns risk scores based on parent process suspiciousness, sensitive resource types (secrets), and direct socket/API access.

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval is_container_discovery=0
| eval cmd=coalesce(CommandLine, command, cmd_line, "")
| eval process=coalesce(Image, process_name, comm, "")
| eval parent_process=coalesce(ParentImage, parent_process_name, "")
```Docker enumeration```
| eval is_container_discovery=if(
    (match(process, "(?i)docker$") AND match(cmd, "(?i)(\\bps\\b|inspect|images|info|stats|network ls|volume ls|container ls)")),
    1, is_container_discovery)
```kubectl enumeration```
| eval is_container_discovery=if(
    (match(process, "(?i)kubectl$") AND match(cmd, "(?i)(get (pods|nodes|namespaces|services|deployments|secrets|configmaps|all|sa)|cluster-info|describe)")),
    1, is_container_discovery)
```crictl/ctr enumeration```
| eval is_container_discovery=if(
    (match(process, "(?i)(crictl|ctr)$") AND match(cmd, "(?i)(ps|pods|images|info|containers list|tasks list)")),
    1, is_container_discovery)
```Peirates offensive tool```
| eval is_container_discovery=if(match(process, "(?i)peirates"), 1, is_container_discovery)
```curl/wget against Docker socket or Kubernetes API```
| eval is_container_discovery=if(
    (match(process, "(?i)(curl|wget)$") AND match(cmd, "(?i)(\/var\/run\/docker\.sock|:8080\/api|:6443\/api|:10250|\/api\/v1\/(pods|nodes|namespaces))")),
    1, is_container_discovery)
| where is_container_discovery=1
| eval risk_score=case(
    match(cmd, "(?i)get secrets"), 90,
    match(cmd, "(?i)\/var\/run\/docker\.sock"), 85,
    match(cmd, "(?i):10250"), 80,
    match(parent_process, "(?i)(bash|sh|dash|zsh|python3?|perl|ruby|nc|ncat|socat)"), 80,
    match(process, "(?i)peirates"), 95,
    1==1, 40
)
| eval severity=case(risk_score >= 85, "critical", risk_score >= 70, "high", risk_score >= 50, "medium", 1==1, "low")
| stats count as execution_count, values(cmd) as commands, values(parent_process) as parent_processes, max(risk_score) as max_risk_score, min(_time) as first_seen, max(_time) as last_seen by host, user, process, severity
| where execution_count >= 1
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - max_risk_score
| table host, user, process, commands, parent_processes, execution_count, max_risk_score, severity, first_seen, last_seen

Detects container and resource discovery activity by monitoring process execution events for Docker CLI, kubectl, crictl, ctr, Peirates, and curl/wget queries against container runtime APIs. Aggregates by host/user/process to identify enumeration bursts and assigns risk scores based on sensitive resource types (secrets), direct socket/API access, and suspicious parent process chains.

medium severity medium confidence

Data Sources

Sysmon Linux Auditd Linux Secure Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_secure syslog auditd

False Positives

Platform engineering teams performing routine cluster health checks via kubectl get nodes/pods as part of on-call runbooks
Monitoring and observability platforms (Prometheus, Datadog, New Relic) continuously querying Kubernetes API and kubelet endpoints for metrics and service discovery
Container orchestration automation scripts in CI/CD systems that enumerate running containers to determine deployment state before rolling updates
Security baseline tools (kube-bench, kube-hunter in assessment mode) that enumerate cluster resources as part of authorized security posture reviews

Elastic Security (EQL)

eql

process where process.name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") and (process.args : ("exec", "run", "create", "deploy", "--privileged", "--pid=host", "--net=host", "--cap-add", "SYS_ADMIN", "nsenter") or process.command_line : ("*--privileged*", "*--pid=host*", "*--cap-add=SYS_ADMIN*", "*nsenter*pid*1*"))

Elastic EQL translation of the T1613 detection logic. Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover containers, pods, nodes, namespaces, services, sec

medium severity medium confidence

Data Sources

Elastic Endpoint Security Kubernetes Audit Logs

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%--privileged%' OR "CommandLine" ILIKE '%nsenter%pid%1%' THEN 90 WHEN "CommandLine" ILIKE '%--pid=host%' OR "CommandLine" ILIKE '%--cap-add=SYS_ADMIN%' THEN 80 WHEN "CommandLine" ILIKE '%docker exec%' OR "CommandLine" ILIKE '%kubectl exec%' THEN 65 ELSE 50 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%docker%' OR "CommandLine" ILIKE '%kubectl%' OR "CommandLine" ILIKE '%crictl%' OR "CommandLine" ILIKE '%podman%' OR "CommandLine" ILIKE '%nsenter%') ORDER BY "RiskScore" DESC LAST 24 HOURS

IBM QRadar AQL translation of the T1613 detection. Uses SQL-like syntax with risk scoring. Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover

medium severity medium confidence

Data Sources

Linux OS Kubernetes Audit

Required Tables

events

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Sumo Logic CSE

sql

_sourceCategory=endpoint/linux OR _sourceCategory=endpoint/kubernetes | json auto | where process_name in ("docker", "kubectl", "crictl", "ctr", "podman", "nsenter", "runc") | if(matches(command_line, "*--privileged*") or matches(command_line, "*nsenter*pid*1*"), "Critical", if(matches(command_line, "*--pid=host*") or matches(command_line, "*--cap-add=SYS_ADMIN*"), "High", "Medium")) as RiskLevel | stats count by user_name, process_name, command_line, RiskLevel | sort by count desc

Sumo Logic query for T1613 detection using source category filters and aggregation. Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover

medium severity medium confidence

Data Sources

Linux Endpoint Events Kubernetes Audit Logs

Required Tables

endpoint/linux endpoint/kubernetes

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Google Chronicle / SecOps

yaral

rule detect_container_abuse {
  meta:
    author = "Argus"
    description = "Detects suspicious container management and escape attempts"
    severity = "HIGH"
    technique = "T1609_T1611"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.target.process.file.full_path = "/usr/bin/docker" or
      $e.target.process.file.full_path = "/usr/bin/kubectl" or
      $e.target.process.file.full_path = "/usr/bin/nsenter" or
      re.regex($e.target.process.file.full_path, `crictl|podman|runc`) nocase
    )
    (
      re.regex($e.target.process.command_line, `--privileged|--pid=host|--cap-add=SYS_ADMIN|nsenter.*--pid.*1`) nocase
    )
  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for T1613 detection using UDM event types and field matching. Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover

medium severity medium confidence

Data Sources

Endpoint Telemetry Kubernetes Audit Logs

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /docker|kubectl|crictl|podman|nsenter|runc/i
| case {
    CommandHistory = /--privileged|nsenter.*pid.*1/i | RiskLevel := "Critical";
    CommandHistory = /--pid=host|--cap-add=SYS_ADMIN|--net=host/i | RiskLevel := "High";
    CommandHistory = /exec|run.*-it/i | RiskLevel := "Medium";
    * | RiskLevel := "Low"
  }
| where RiskLevel in ("Critical", "High", "Medium")
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, RiskLevel])

CrowdStrike Falcon LogScale CQL query for T1613 detection. Detects process execution of Docker, kubectl, crictl, and ctr enumeration commands used to discover

medium severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Legitimate DevOps engineers and SREs routinely run kubectl get pods/nodes and docker ps for operational monitoring and troubleshooting
CI/CD pipeline agents (Jenkins, GitLab Runner, GitHub Actions self-hosted) execute container enumeration commands as part of automated build, test, and deploy workflows
Kubernetes operators, admission controllers, and monitoring tools (Prometheus node-exporter, Datadog agent, Falco) query the kubelet API and Kubernetes API server continuously for health data
Container security scanners (Trivy, Anchore, Snyk) enumerate images and running containers during scheduled vulnerability assessments

Container and Resource Discovery

What is T1613 Container and Resource Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1613

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1613 Container and Resource Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1613

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox