← Back to Explore
elasticmediumTTP
GKE Pod Created With HostIPC
Detects GKE pod create, update, or patch events that enable host IPC namespace sharing. This exposes host inter-process communication mechanisms and can support privilege escalation. Controller-owned workloads are excluded.
Detection Query
data_stream.dataset:gcp.audit and event.outcome:success and
event.action:("io.k8s.core.v1.pods.create" or "io.k8s.core.v1.pods.update" or "io.k8s.core.v1.pods.patch") and
gcp.audit.request.spec.hostIPC:true and
not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
Author
Elastic
Created
2026/06/30
Data Sources
GCPGoogle Cloud Platformlogs-gcp.audit-*
References
Tags
Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: Privilege EscalationTactic: ExecutionResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/30"
integration = ["gcp"]
maturity = "production"
updated_date = "2026/06/30"
[rule]
author = ["Elastic"]
description = """
Detects GKE pod create, update, or patch events that enable host IPC namespace sharing. This exposes host inter-process
communication mechanisms and can support privilege escalation. Controller-owned workloads are excluded.
"""
false_positives = [
"""
Administrators may enable hostIPC for legitimate debugging. Exclude trusted users or namespaces after baselining.
""",
]
index = ["logs-gcp.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "GKE Pod Created With HostIPC"
note = """## Triage and analysis
### Investigating GKE Pod Created With HostIPC
Host IPC lets a pod interact with host IPC facilities. Review the pod spec, actor, and whether the change was expected.
### Investigation steps
- Confirm `gcp.audit.request.spec.hostIPC` and targeted namespace or pod.
- Review `user.email` and correlate with other risky pod modifications.
### False positives
- Break-glass debugging on nodes; allowlist known admin identities.
## Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
references = [
"https://kubernetes.io/docs/concepts/security/pod-security-standards/",
"https://bishopfox.com/blog/kubernetes-pod-privilege-escalation",
]
risk_score = 47
rule_id = "fde4efad-9cd0-4fa4-84c8-0e3b6fc957b4"
severity = "medium"
tags = [
"Domain: Cloud",
"Domain: Kubernetes",
"Data Source: GCP",
"Data Source: Google Cloud Platform",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Execution",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:gcp.audit and event.outcome:success and
event.action:("io.k8s.core.v1.pods.create" or "io.k8s.core.v1.pods.update" or "io.k8s.core.v1.pods.patch") and
gcp.audit.request.spec.hostIPC:true and
not gcp.audit.request.metadata.ownerReferences.kind:("ReplicaSet" or "DaemonSet" or "StatefulSet")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1611"
name = "Escape to Host"
reference = "https://attack.mitre.org/techniques/T1611/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1610"
name = "Deploy Container"
reference = "https://attack.mitre.org/techniques/T1610/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"