---
title: Kubernetes principal attempted to enumerate their permissions
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Kubernetes principal attempted to
  enumerate their permissions
---

# Kubernetes principal attempted to enumerate their permissions
Classification:attackTactic:[TA0007-discovery](https://attack.mitre.org/tactics/TA0007)Technique:[T1613-container-and-resource-discovery](https://attack.mitre.org/techniques/T1613) 
## Goal{% #goal %}

Identify when a user is attempting to enumerate their permissions.

## Strategy{% #strategy %}

This rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.

## Triage and response{% #triage-and-response %}

1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.
1. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.

## Changelog{% #changelog %}

- 7 May 2024 - Updated detection query to include logs from Azure Kubernetes Service.