---
title: User Attached to a Pod
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > User Attached to a Pod
---

# User Attached to a Pod
Classification:attackTactic:[TA0007-discovery](https://attack.mitre.org/tactics/TA0007)Technique:[T1613-container-and-resource-discovery](https://attack.mitre.org/techniques/T1613) 
## Goal{% #goal %}

Detect when a user attaches to a pod.

## Strategy{% #strategy %}

This rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).

A user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.

## Triage and response{% #triage-and-response %}

Determine if the user should be attaching to a running container.

## Changelog{% #changelog %}

- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.
- 17 July 2024 - Updated detection query to include logs from Google Kubernetes Engine.
- 5 March 2025 - Updated detection query for Google Kubernetes Engine to include the event `io.k8s.core.v1.pods.attach.get` and exclude system accounts.