1[metadata]
 2creation_date = "2026/04/28"
 3integration = ["endpoint", "auditd_manager"]
 4maturity = "production"
 5updated_date = "2026/04/28"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects network connection attempts to the Kubernetes Kubelet API port (10250/10255) on internal IP ranges from Linux hosts.
11This rule focuses on common request and scripting utilities (curl, wget, python, node, etc.) and executions from
12world-writable or ephemeral paths (/tmp, /var/tmp, /dev/shm, /var/run), which are frequently abused during container and
13cluster lateral movement.
14"""
15false_positives = [
16    """
17    Legitimate node health checks, diagnostics, or in-cluster agents may access the Kubelet API on port 10250. Validate
18    the calling process, command line, and whether the destination is the local node or another node.
19    """,
20]
21from = "now-9m"
22index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-endpoint.events.network*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Kubelet API Connection Attempt to Internal IP"
26note = """## Triage and analysis
27
28### Investigating Kubelet API Connection Attempt to Internal IP
29
30This alert indicates a process on a Linux host attempted to connect to port 10250 (Kubelet API) on an internal or
31loopback IP address, including IPv4 private ranges and IPv6 localhost. Kubelet access is commonly abused to enumerate
32pods, retrieve logs, or execute commands on nodes when authentication or network controls are weak.
33
34### Possible investigation steps
35
36- Review the initiating process (`process.*`) and its executable path; prioritize processes running from `/tmp`,
37  `/var/tmp`, `/dev/shm`, or `/var/run`, and suspicious interpreters or downloaders.
38- Determine whether the destination IP is the local node, another node, or a management host, and whether connectivity to
39  10250 is expected for this workload/user.
40- Correlate with process argument telemetry for HTTP URLs, kubelet endpoints (e.g., `/pods`, `/runningpods`, `/exec`), and
41  subsequent Kubernetes API audit activity or credential access.
42
43### False positive analysis
44
45- Approved troubleshooting (SRE/cluster operator) sessions that validate Kubelet reachability on the node.
46- In-cluster agents that legitimately scrape or query the Kubelet (confirm vendor, image, and deployment).
47
48### Response and remediation
49
50- Restrict pod-to-node access to 10250 using network policies/security groups where possible.
51- Rotate and revoke any exposed Kubernetes credentials and investigate for follow-on cluster discovery or execution.
52"""
53references = [
54    "https://attack.mitre.org/techniques/T1021/",
55    "https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/",
56]
57risk_score = 47
58rule_id = "9f420cca-cb27-44db-a13d-c43c7b48e04a"
59setup = """## Setup
60
61### Auditd Manager: emitting network connection telemetry
62
63This rule is written against `event.category:network` events. Elastic Defend provides this natively. For Auditd Manager,
64you typically need to audit network-related syscalls (for example `connect`) and rely on the integration/pipeline to map
65those syscall events into ECS-like network events.
66
67If you are not seeing `event.category:network` for Auditd Manager data, add syscall audit rules for network connections.
68The example below is a starting point and may need to be adjusted for your environment and noise tolerance:

 1
 2After enabling, validate that events include `destination.ip`, `destination.port`, and a populated `process.*` context.
 3"""
 4severity = "medium"
 5tags = [
 6    "Domain: Endpoint",
 7    "Domain: Container",
 8    "Domain: Kubernetes",
 9    "OS: Linux",
10    "Use Case: Threat Detection",
11    "Tactic: Lateral Movement",
12    "Tactic: Discovery",
13    "Data Source: Elastic Defend",
14    "Data Source: Auditd Manager",
15    "Resources: Investigation Guide",
16]
17timestamp_override = "event.ingested"
18type = "eql"
19query = '''
20network where host.os.type == "linux" and event.type == "start" and event.category == "network" and network.direction == "egress" and 
21  event.action in ("connected-to", "connection_attempted") and (destination.port == 10250 or destination.port == 10255) and
22  cidrmatch(
23    destination.ip,
24    "127.0.0.0/8",
25    "10.0.0.0/8",
26    "172.16.0.0/12",
27    "192.168.0.0/16",
28    "169.254.0.0/16",
29    "100.64.0.0/10",
30    "::1/128",
31    "fc00::/7",
32    "fe80::/10"
33  ) and
34  (
35    process.name in ("curl", "wget", "nc", "ncat", "netcat", "socat", "openssl", "perl", "busybox") or 
36    process.name like ".*" or process.executable like "/*/.*" or 
37    process.name like ("python*", "ruby*", "node*", "java*", "lua*", "apache*", "php*", "nginx", "httpd*", "lighttpd", "caddy", "mongrel_rails", "gunicorn", 
38                       "uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn", 
39                       "daphne", "twistd", "yaws", "webfsd", "flask", "rails", "mongrel", "catalina.sh", "hiawatha", "lswsctrl") or
40    process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/home/*", "/run/user/*", "/busybox/*")
41  )
42'''
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[[rule.threat.technique]]
48id = "T1021"
49name = "Remote Services"
50reference = "https://attack.mitre.org/techniques/T1021/"
51
52[rule.threat.tactic]
53id = "TA0008"
54name = "Lateral Movement"
55reference = "https://attack.mitre.org/tactics/TA0008/"
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60
61[[rule.threat.technique]]
62id = "T1613"
63name = "Container and Resource Discovery"
64reference = "https://attack.mitre.org/techniques/T1613/"
65
66[rule.threat.tactic]
67id = "TA0007"
68name = "Discovery"
69reference = "https://attack.mitre.org/tactics/TA0007/"