| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | detect | partial | T1525 | Implant Container Image |
Comments
This control may alert on containers with sensitive volume mounts, unneeded privileges, or running an image with digital currency mining software.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on detection of new privileged containers and high privilege roles.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | detect | partial | T1070 | Indicator Removal on Host |
Comments
This control may alert on deletion of Kubernetes events. Attackers might delete those events for hiding their operations in the cluster. There is no relevant sub-technique for this control but the parent applies.
References
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | 4 |