[TTD] Jenkins Controller Deserialization and CI/CD Control-Plane Abuse Exposure
Report Type: Threat-to-Detection
Threat Category: Jenkins Controller Deserialization and CI/CD Control-Plane Abuse Exposure
Assessment Date: June 15, 2026
Primary Impact Domain: CI/CD Control-Plane Integrity
Secondary Impact Domains: Credential Trust, Artifact Integrity, Production Release Governance, Cloud and Kubernetes Deployment Authority, Software Supply-Chain Assurance
Affected Asset Class: Jenkins Controllers, CI/CD Infrastructure, Build and Deployment Pipelines, Jenkins-Managed Credentials, Artifact and Release Workflows
Threat Objective Classification: Privileged Jenkins Request Abuse, User Impersonation, Credential Exposure, Controller-Side Execution, Job or Plugin Manipulation, Artifact Publication Abuse, and Downstream Deployment-Path Compromise
Published by: CyberDax LLC
Author: Edward “Tony” Dolley
Role: Founder / Principal Threat Researcher, CyberDax LLC
Publication Date: June 15, 2026
Publication Type: Cybersecurity Research Report / White Paper
BLUF
Jenkins controller deserialization and CI/CD control-plane abuse exposure creates material business risk because attacker-controlled Jenkins configuration submission can become a path to user impersonation, privileged Jenkins request handling, Script Console execution, arbitrary controller file read, credential exposure, job manipulation, plugin modification, artifact publication, and downstream deployment-path abuse. The core risk is whether adversaries can move from Jenkins configuration handling into trusted CI/CD authority before the organization can validate controller version state, configuration activity, user context, credential exposure, controller integrity, job integrity, artifact provenance, and deployment history. Immediate executive action is required to upgrade affected Jenkins controllers, restrict administrative exposure, review Jenkins permissions, validate pipeline integrity, rotate credentials where compromise is suspected, and deploy behavior-led detection across Jenkins controller and downstream CI/CD telemetry.
Executive Risk Translation
Jenkins deserialization exposure shifts the business risk from routine application patching to uncertainty over whether a trusted software-delivery control plane can still be relied upon. If Jenkins controller activity, privileged requests, Script Console use, credential access, job changes, artifact publication, cloud activity, Kubernetes activity, and production deployments cannot be tied to reliable evidence, leadership may need to assume CI/CD trust was exposed until proven otherwise. That response can expand into emergency upgrade windows, release pauses, controller forensics, credential rotation, job and plugin review, artifact validation, downstream environment review, and executive reporting.
S5 Executive Risk Summary
Business Risk
Jenkins controller abuse can undermine CI/CD trust, credential control, artifact integrity, source-code workflow integrity, cloud deployment authority, Kubernetes deployment authority, and production change governance.
Technical Cause
The issue involves Jenkins deserializing attacker-controlled config.xml data in a way that may allow deserialized types from Jenkins core or installed plugins to handle HTTP requests afterward. The durable detection issue is the sequence from suspicious configuration submission into privileged Jenkins behavior, controller-side execution, credential access, or downstream CI/CD activity.
Threat Posture
This is strategically significant for organizations using Jenkins as a production CI/CD control plane, artifact publisher, deployment orchestrator, cloud automation path, Kubernetes deployment path, or secrets broker. It should be treated as Jenkins controller trust-boundary abuse, not as a narrow configuration request issue.
Executive Decision Requirement
Leadership should require affected-controller upgrade, exposure review, Jenkins permission review, Script Console access validation, credential rotation where warranted, pipeline and artifact integrity review, downstream cloud and Kubernetes validation, and deployment of the S25 detection logic.
S6 Executive Cost Summary
Jenkins controller deserialization and CI/CD control-plane abuse exposure creates financial exposure because the organization must determine whether Jenkins was used to impersonate users, issue privileged requests, access credentials, modify jobs, publish artifacts, or affect downstream deployment paths. The cost profile is higher than routine patching when Jenkins supports production releases, artifact generation, cloud deployment, Kubernetes deployment, source-code access, or shared credentials.
Response cost is driven by affected-controller inventory, upgrade validation, log review, permission review, Script Console review, job and plugin diffing, credential rotation, artifact validation, cloud and Kubernetes audit review, and release-history validation.
Low Impact Scenario
Rapid investigation confirms affected-version exposure or suspicious configuration-path activity without evidence of privileged Jenkins actions, Script Console access, credential exposure, controller file access, job changes, plugin changes, suspicious controller execution, rare egress, artifact publication, cloud activity, Kubernetes activity, or production deployment impact. Response remains limited to upgrade, exposure review, permission validation, targeted log review, short-term monitoring, and executive assurance. Estimated impact $25K - $150K.
Moderate Impact Scenario
Confirmed or strongly suspected abuse affects one or more production Jenkins controllers and includes suspicious configuration submission, possible user impersonation, privileged-path access, job changes, plugin changes, credential-path activity, sensitive controller file access, rare egress, or uncertainty over downstream Jenkins-linked activity. Response may require emergency maintenance, Jenkins and host forensics, credential rotation, job and plugin validation, artifact review, source-code audit, cloud identity review, Kubernetes audit review, and release validation. Estimated impact $150K - $1.2M.
High Impact Scenario
Jenkins controller abuse becomes an enterprise-impact event when there is confirmed Script Console execution, arbitrary controller file read, credential theft, malicious job modification, plugin persistence, unauthorized artifact publication, source-code abuse, cloud control-plane activity, Kubernetes deployment manipulation, production release compromise, or customer-facing software impact. Response may require controller rebuilds, broad credential rotation, artifact revocation or validation, release rollback or validation, cloud and Kubernetes incident response, legal review, customer communications, and board-level reporting. Estimated impact $1M - $8M+.
S6A Key Cost Drivers
· Number and importance of affected Jenkins controllers.
· Whether Jenkins supports production releases, artifacts, source code, cloud, Kubernetes, or regulated workloads.
· Evidence of Script Console use, credential access, arbitrary file read, job change, plugin change, controller execution, rare egress, artifact publication, or deployment activity.
· Availability of Jenkins audit logs, access logs, proxy or WAF logs, endpoint telemetry, DNS/proxy logs, artifact logs, cloud logs, Kubernetes logs, and release records.
· Scope of Jenkins-managed credentials and downstream identities requiring review or rotation.
· Completeness of approved administrator, job, plugin, release-window, maintenance-window, and egress inventories.
· Business disruption caused by release pauses, job disablement, credential rotation, artifact validation, or production deployment review.
· Customer, contractual, regulatory, or board-level exposure if artifact integrity or production release integrity cannot be proven.
S6B Compliance and Risk Context
Jenkins controller abuse may create compliance, contractual, regulatory, operational resilience, customer-notification, or software-supply-chain exposure when credential access, artifact manipulation, production deployment activity, regulated workload impact, or customer-facing software changes are confirmed or cannot be ruled out.
For production software delivery environments, the core governance question is whether the organization can prove that Jenkins users, jobs, plugins, credentials, artifacts, cloud actions, Kubernetes activity, and production deployments remained authorized during the exposure window.
Risk Register Entry
Risk Title
Jenkins Controller Deserialization and CI/CD Control-Plane Abuse Exposure
Risk Description
Affected Jenkins controllers may allow attacker-controlled configuration submission to create a path into user impersonation, privileged Jenkins request handling, Script Console execution, arbitrary controller file read, credential exposure, job manipulation, plugin modification, artifact publication, cloud activity, Kubernetes activity, or production release abuse.
Likelihood
Medium-High
Impact
High
Risk Rating
High
Annualized Risk Exposure
Estimated $150K - $1.2M+ for materially exposed Jenkins environments with affected controller versions, broad configuration permissions, production release workflows, incomplete logging, missing controller endpoint telemetry, broad Jenkins-managed credentials, or weak downstream identity mapping. Exposure may exceed $1M - $8M+ where abuse results in credential theft, artifact manipulation, production deployment impact, customer-facing software impact, legal review, customer communications, or board-level reporting.
S10 Threat Overview
Jenkins SECURITY-3707 / CVE-2026-53435 involves attacker-controlled config.xml submission and Jenkins deserialization behavior that can allow deserialized types from Jenkins core or installed plugins to handle HTTP requests afterward.
The activity becomes materially significant because Jenkins often acts as a software-delivery authority. A controller with access to jobs, credentials, artifacts, cloud roles, Kubernetes service accounts, source-code integrations, and production release workflows can convert a Jenkins-layer issue into a broader CI/CD trust problem.
This TTD treats the activity as Jenkins controller deserialization and CI/CD control-plane abuse exposure, not as a narrow Jenkins patching event.
S13 Targets and Exposure Surface
Primary Targets
Jenkins controllers running affected Jenkins versions.
Production Jenkins controllers supporting CI/CD, artifact publication, source-code integration, cloud deployment, Kubernetes deployment, secrets brokering, infrastructure automation, or production release workflows.
Higher-Risk Deployment Conditions
Jenkins controllers are broadly reachable.
Users have broad job, view, agent, or system configuration permissions.
Privileged users have Script Console access.
Jenkins stores long-lived credentials or deployment secrets.
Jenkins jobs can publish artifacts, push container images, deploy infrastructure, or alter production systems.
Jenkins audit logs, endpoint telemetry, job ownership, plugin inventory, or release-window records are incomplete.
Exposure Surface
Jenkins configuration submission paths.
config.xml endpoints.
Job, view, agent, node, and system configuration paths.
Script Console.
Credential store.
Plugin manager.
User and security realm paths.
Controller filesystem.
Job definitions, pipeline scripts, shared libraries, workspaces, artifacts, source-code integrations, cloud deployment workflows, and Kubernetes deployment workflows.
S17 MITRE ATT&CK Chain Flow Mapping
Stage 1: Jenkins Controller Exposure and Configuration Abuse
Attacker-controlled configuration submission reaches an affected Jenkins controller under required access and permission conditions.
· T1190 Exploit Public-Facing Application, applied conditionally where Jenkins is reachable from the attacker’s access position.
Stage 2: User Impersonation or Privileged Jenkins Request Handling
Deserialized object behavior enables follow-on HTTP request handling, user impersonation, or privileged Jenkins actions.
· T1068 Exploitation for Privilege Escalation.
Stage 3: Script Console, Controller File Access, or Credential Exposure
The adversary attempts Script Console execution, controller-side command execution, arbitrary file read, credential access, token creation, or sensitive Jenkins file access.
· T1059 Command and Scripting Interpreter.
· T1552 Unsecured Credentials.
· T1555 Credentials from Password Stores.
· T1005 Data from Local System.
Stage 4: CI/CD Pipeline, Artifact, or Deployment-Path Abuse
The adversary uses Jenkins trust to modify jobs, alter plugins, publish artifacts, abuse source-code workflows, deploy to cloud or Kubernetes, or manipulate production release paths.
· T1053 Scheduled Task/Job.
· T1505 Server Software Component.
Conditional Technique Notes
T1105 Ingress Tool Transfer should only be applied if controller-side download, staging, or tool retrieval is observed.
T1565.002 Stored Data Manipulation should only be applied if artifact, job, configuration, deployment manifest, or release data manipulation is observed.
S18 Attack Path Narrative
An attacker reaches an affected Jenkins controller and satisfies the required access conditions.
The attacker submits controlled configuration data through config.xml or related configuration paths.
Jenkins deserializes allowed core or plugin-defined types.
The deserialized object behavior enables follow-on HTTP request handling.
The attacker attempts user impersonation or privileged Jenkins requests.
The attacker accesses Script Console, credentials, plugin manager, job configuration, node management, user management, or security realm paths.
The attacker reads controller files, accesses credentials, modifies jobs, changes plugins, or triggers controller-side execution.
The attacker uses Jenkins-held trust to affect artifacts, source-code workflows, cloud resources, Kubernetes workloads, or production deployments.
Defenders should detect this through correlated configuration submission, privileged Jenkins activity, controller host behavior, rare egress, and downstream CI/CD activity.
S20 TTP Analysis
Initial Access
Jenkins configuration handling is abused after the attacker reaches an affected Jenkins controller and satisfies the required permission conditions.
Execution
Execution may occur through Script Console, Groovy execution, job manipulation, Jenkins service-context process execution, shell execution, PowerShell execution, or build-step abuse.
Persistence
Persistence may occur through modified jobs, scheduled builds, build triggers, shared libraries, plugins, node configuration, user or token creation, credential additions, webhook changes, or altered deployment workflows.
Privilege Escalation
The deserialization path may allow attacker-controlled behavior to reach another user context or privileged Jenkins actions.
Defense Evasion
Attackers may blend into legitimate Jenkins workflows by using trusted users, normal configuration paths, existing jobs, approved-looking plugin names, or release windows.
Credential Access
Attackers may access Jenkins credential stores, controller secrets, job configurations, environment variables, API tokens, SSH keys, deployment keys, cloud credentials, Kubernetes credentials, source-code tokens, or artifact repository credentials.
Discovery
Attackers may inspect users, groups, permissions, jobs, credentials, plugins, nodes, workspaces, artifacts, source-code integrations, cloud roles, Kubernetes clusters, release jobs, and deployment targets.
Impact
Attackers may alter builds, publish unauthorized artifacts, compromise source-code workflows, deploy unauthorized infrastructure, alter Kubernetes workloads, trigger production releases, disrupt CI/CD operations, or damage artifact trust.
S20A — Adversary Tradecraft Summary
The durable tradecraft pattern is controller-trust conversion: attacker-controlled Jenkins configuration data enables privileged Jenkins behavior, which is then used to reach credentials, controller files, jobs, plugins, artifacts, cloud roles, Kubernetes service accounts, or release workflows. Detection should focus on that sequence rather than a single request string, CVE label, or proof-of-concept artifact.
S21 Detection Strategy Overview
Detection Philosophy
Detect Jenkins controller trust abuse through correlated behavior, not single indicators.
Primary Detection Anchors
Suspicious configuration submission, privileged Jenkins paths, Script Console activity, credential activity, sensitive controller file access, controller-side execution, rare egress, artifact publication, cloud activity, Kubernetes activity, and production release behavior.
Detection Prioritization Model
Prioritize events where configuration submission is followed by privileged Jenkins activity or downstream CI/CD actions within a bounded time window.
Correlation Strategy (Strict Enforcement)
Do not promote cloud-only, network-only, or endpoint-only anomalies to high confidence without Jenkins controller, user, job, identity, or time-window correlation.
Telemetry Prioritization
Prioritize Jenkins audit logs, URI-preserving web logs, endpoint process/file telemetry, DNS/proxy logs, artifact logs, cloud logs, Kubernetes logs, and release records.
Detection Design Constraints
Avoid detection designs based only on CVE name, single URI, user agent, exploit string, actor name, or IOC.
Baseline and Deployment Requirements
Baseline approved administrators, source networks, jobs, plugins, service accounts, command patterns, maintenance windows, release windows, and egress destinations.
Variant Resilience Requirements
Rules should remain useful for future Jenkins controller abuse paths that produce the same operational behavior.
Operational Detection Model
Run detections in hunt mode first, tune exceptions, validate joins, verify triage fields, then promote to alert mode.
Explicit Non-Deployment Guardrails
Do not deploy weak cloud-control-plane-only rules as Jenkins compromise detection. Do not claim exploit confirmation from isolated scanner traffic, generic web errors, or uncorrelated egress.
Figure
S22 Primary Detection Signals
Primary Detection Signals
POST requests to Jenkins configuration paths, including config.xml, createItem, doCreateItem, doConfigSubmit, job configuration, view configuration, or node configuration paths.
Configuration submission from unusual sources, unusual users, or outside maintenance windows.
Configuration submission followed by Script Console access, credential activity, plugin changes, job changes, user changes, node changes, or security realm changes.
Jenkins service account spawning shells, scripting engines, transfer tools, archive tools, remote-access utilities, or encoded commands.
Sensitive Jenkins file access involving credentials, secrets, jobs, plugins, users, workspaces, or build artifacts.
Supporting Detection Signals
Unusual authenticated-user context.
Unexpected forwarded user context.
Crumb anomalies where visible.
Rare controller egress.
Unexpected artifact publication.
Unexpected source-code, cloud, Kubernetes, or deployment activity using Jenkins-linked identities.
Exploit Attempt and Instability Signals
Repeated configuration-path errors.
Unusual HTTP status patterns around configuration submission.
Denied access to privileged Jenkins paths.
Scanner-like activity followed by authenticated Jenkins behavior.
Outbound Communication Signals
DNS, proxy, or network activity from Jenkins controllers to newly seen, rare, suspicious, or unapproved destinations.
Persistence and Post-Exploitation Signals (Conditional)
New or modified jobs, plugins, shared libraries, credentials, users, tokens, build triggers, node configuration, or deployment jobs.
Lateral Movement and Expansion Signals (Conditional)
Jenkins-linked credentials or service accounts used against source-code systems, artifact repositories, cloud accounts, Kubernetes clusters, or production deployment systems.
Signal Usage Constraints
Do not treat a single signal as compromise confirmation. Promote confidence when signals align by controller, user, source, job, identity, and time window.
S23 Telemetry Requirements
Required Telemetry
Jenkins audit logs.
Jenkins access logs where available.
Reverse-proxy logs.
WAF logs.
Load-balancer logs.
Endpoint process telemetry from Jenkins controllers.
Endpoint file telemetry from Jenkins controllers.
DNS logs.
Proxy or egress firewall logs.
Jenkins controller asset inventory.
Approved Jenkins administrator lookup.
Approved Jenkins source-network lookup.
Approved Jenkins job inventory.
Approved Jenkins plugin inventory.
Approved Jenkins service-account inventory.
Approved maintenance-window lookup.
Approved release-window lookup.
Strongly Recommended Telemetry
Source-code repository audit logs.
Artifact repository logs.
Container registry logs.
Cloud audit logs.
Kubernetes audit logs.
Secrets manager audit logs.
Identity provider logs.
EDR network telemetry.
NDR session telemetry.
CMDB records.
Cloud tags.
Kubernetes labels.
Jenkins credential metadata.
Jenkins job ownership metadata.
Recently seen domain enrichment.
Approved scanner and validation-source lookup.
Local Mapping Required
Jenkins controller identifier.
Jenkins hostname.
Jenkins base URL.
Jenkins username.
Jenkins role.
Jenkins action.
Job name.
Plugin name.
Credential identifier.
HTTP method.
URI path.
Source IP.
Forwarded source IP.
Authenticated user.
Forwarded user.
Jenkins crumb result where available.
Backend host.
Process name.
Parent process.
Command line.
Process user.
File path.
Destination domain.
Destination IP.
Artifact path.
Cloud account.
Cloud identity.
Kubernetes cluster.
Kubernetes namespace.
Deployment target.
Maintenance-window status.
Release-window status.
Approved administrator status.
Approved job status.
Approved plugin status.
Approved egress-destination status.
S24 Detection Opportunities and Gaps
Detection Opportunities
Suspicious configuration submission can be correlated with privileged Jenkins actions, controller execution, sensitive file access, rare egress, and downstream CI/CD activity.
Endpoint telemetry may reveal controller-side execution even when Jenkins audit logs are incomplete.
WAF and reverse-proxy logs may preserve configuration-path evidence when Jenkins-native logs are incomplete.
Artifact, cloud, Kubernetes, and source-code logs may reveal downstream abuse of Jenkins-linked identities.
Detection Gaps
Jenkins audit logs may be absent or incomplete.
Reverse proxies may not preserve full URI paths.
Endpoint telemetry may be missing from controllers.
Controller identity may not join cleanly across web, endpoint, network, and downstream logs.
Cloud, Kubernetes, artifact, and source-code activity may not map back to Jenkins identities or jobs.
Compensating Controls
Use WAF logs, reverse-proxy logs, load-balancer logs, Jenkins audit logs, endpoint telemetry, file telemetry, DNS logs, proxy logs, source-code logs, artifact logs, cloud logs, Kubernetes logs, release records, approved inventories, and change-control evidence.
Do not rely only on Jenkins version validation if suspicious activity occurred during the exposure window.
S25 Ultra-Tuned Detection Engineering Rules
NDR / Network Behavioral Analytics
Detection Viability Assessment
Production-deployable where Jenkins controller HTTP requests, reverse-proxy routing, WAF events, DNS queries, proxy sessions, authenticated-user headers, Jenkins crumb behavior, and destination-domain enrichment can be joined to the same Jenkins controller. Pure NetFlow is not sufficient because this detection requires Jenkins-specific URI visibility for config.xml, createItem, doCreateItem, doConfigSubmit, Script Console, credentials, plugin manager, user, node, security realm, and job configuration paths.
Rule
Jenkins Config XML Submission With Privileged Path, User Context, or Rare Egress Correlation
Rule Format
Production-deployable NDR / WAF / reverse-proxy behavioral correlation pattern requiring local query-language translation.
Detection Purpose
Detect suspicious Jenkins configuration submission activity that aligns with privileged Jenkins controller access, abnormal authenticated-user context, Script Console exposure, credential-path access, plugin-management access, node-management access, security realm access, or rare outbound communication from the same Jenkins controller.
Detection Logic
Trigger when a Jenkins controller receives POST activity to Jenkins configuration paths involving config.xml, createItem, doCreateItem, doConfigSubmit, item creation, job configuration, or description-submission endpoints from a source that is not an approved Jenkins administrator source or approved scanner.
Assign medium severity when suspicious configuration-path activity occurs against a Jenkins controller from an unapproved or unusual source.
Assign high severity when suspicious configuration-path activity is followed within 60 minutes by access to Script Console, credentials, plugin manager, node management, user management, build-agent management, security realm, or administrative paths on the same controller.
Assign high severity when suspicious configuration-path activity includes an unusual authenticated-user header, unexpected Jenkins crumb behavior, missing expected crumb validation context, invalid crumb result, or source/user mismatch for a Jenkins administrative action.
Promote to critical when suspicious configuration-path activity is followed within 60 minutes by rare outbound communication from the Jenkins controller, or when downstream telemetry confirms credential access, job modification, plugin modification, artifact publication, cloud deployment, Kubernetes activity, controller-side process execution, source-code activity, or production deployment activity.
Required Telemetry
Reverse-proxy logs.
WAF logs.
Load-balancer logs.
Web access logs.
Jenkins access logs where available.
DNS logs.
Proxy logs.
NDR session telemetry.
Authenticated-user header visibility where available.
Jenkins crumb or CSRF validation context where available.
Jenkins controller asset inventory.
Approved Jenkins administrator source lookup.
Approved Jenkins administrator user lookup.
Approved Jenkins scanner lookup.
Approved Jenkins maintenance-window lookup.
Approved Jenkins egress-destination lookup.
Recently seen destination-domain baseline.
Engineering Implementation Instructions
Map http_method, uri_path, query_string, source_ip, x_forwarded_for, x_forwarded_user, authenticated_user, jenkins_crumb_present, jenkins_crumb_result, user_agent, http_status, backend_host, backend_ip, jenkins_controller_id, src_host, dest_domain, dest_ip, dns_query, proxy_action, and timestamp.
Build ASSET_GROUP("jenkins_controllers") from CMDB records, DNS records, reverse-proxy routing, load-balancer target groups, cloud tags, Kubernetes ingress metadata, and Jenkins base URLs.
Create APPROVED_JENKINS_ADMIN_SOURCES, APPROVED_JENKINS_ADMIN_USERS, APPROVED_JENKINS_ADMIN_USER_SOURCE_MAP, APPROVED_JENKINS_SCANNERS, APPROVED_JENKINS_MAINTENANCE_WINDOWS, and APPROVED_JENKINS_EGRESS_DESTINATIONS.
Validate that the local WAF, reverse proxy, or load balancer preserves Jenkins URI paths and does not collapse job-path depth before alert mode.
Validate whether Jenkins crumb fields are available. If crumb fields are unavailable, do not block deployment; rely on URI, user, source, status, Jenkins audit, endpoint, egress, and downstream correlation.
Translate the query pattern into the target NDR, WAF, SIEM, proxy, or detection platform syntax using local lookup and join functions.
Treat TLS termination, URI visibility, backend-host joins, authenticated-user mapping, crumb mapping, egress baselining, allowlist tuning, and SOC triage routing as required local deployment work.
DRI Assessment
High resilience where full Jenkins URI visibility, controller identity, authenticated-user mapping, DNS/proxy telemetry, approved-source enrichment, and rare-destination baselining are available.
DRI
8.6 / 10
TCR Assessment
Operational confidence is moderate for standalone suspicious configuration-path activity and high when configuration activity aligns with privileged Jenkins paths, unusual authenticated-user context, crumb anomalies, or rare controller egress.
Operational TCR
8.2 / 10
Full-Telemetry TCR
9.2 / 10
Limitations
Encrypted traffic without WAF, reverse-proxy, CDN, or server-side HTTP logging may hide Jenkins URI paths. Jenkins crumb visibility is not guaranteed in all logging paths. Legitimate administrative automation may submit job configuration changes. High-severity and critical promotion require local correlation to privileged paths, authenticated-user context, egress, Jenkins audit events, endpoint telemetry, or downstream deployment evidence.
Detection Query Pattern
Production-deployable behavioral pattern pending local query-language translation:
DATASETS:
ENV_WAF
ENV_REVERSE_PROXY
ENV_LOAD_BALANCER
ENV_WEB_ACCESS
ENV_JENKINS_ACCESS
ENV_DNS
ENV_PROXY
SCOPE:
backend_host IN ASSET_GROUP("jenkins_controllers")
WINDOW:
60 minutes
SIGNAL suspicious_config_submission:
http_method = "POST"
AND (
uri_path MATCHES "^/job/.*/config\\.xml$"
OR uri_path MATCHES "^/view/.*/job/.*/config\\.xml$"
OR uri_path = "/config.xml"
OR uri_path CONTAINS "/createItem"
OR uri_path CONTAINS "/doCreateItem"
OR uri_path CONTAINS "/doConfigSubmit"
OR uri_path CONTAINS "/submitDescription"
)
AND source_ip NOT IN LOOKUP("APPROVED_JENKINS_ADMIN_SOURCES")
AND source_ip NOT IN LOOKUP("APPROVED_JENKINS_SCANNERS")
AND timestamp NOT IN LOOKUP("APPROVED_JENKINS_MAINTENANCE_WINDOWS")
SIGNAL suspicious_user_context:
backend_host IN ASSET_GROUP("jenkins_controllers")
AND uri_path CONTAINS "/config"
AND (
authenticated_user NOT IN LOOKUP("APPROVED_JENKINS_ADMIN_USERS")
OR x_forwarded_user NOT IN LOOKUP("APPROVED_JENKINS_ADMIN_USERS")
OR (authenticated_user, source_ip) NOT IN LOOKUP("APPROVED_JENKINS_ADMIN_USER_SOURCE_MAP")
OR jenkins_crumb_result IN ("missing","invalid","unexpected")
)
SIGNAL privileged_jenkins_path:
backend_host IN ASSET_GROUP("jenkins_controllers")
AND (
uri_path CONTAINS "/script"
OR uri_path CONTAINS "/scriptText"
OR uri_path CONTAINS "/credentials"
OR uri_path CONTAINS "/pluginManager"
OR uri_path CONTAINS "/computer/"
OR uri_path CONTAINS "/user/"
OR uri_path CONTAINS "/manage"
OR uri_path CONTAINS "/securityRealm"
)
AND source_ip NOT IN LOOKUP("APPROVED_JENKINS_ADMIN_SOURCES")
SIGNAL rare_controller_egress:
src_host IN ASSET_GROUP("jenkins_controllers")
AND dest_domain NOT IN LOOKUP("APPROVED_JENKINS_EGRESS_DESTINATIONS")
AND dest_domain NOT IN LOOKUP("APPROVED_BUSINESS_DOMAINS")
AND (
dest_domain_age_days < ENV_NEW_DOMAIN_AGE_DAYS
OR domain_reputation IN ("unknown","suspicious","malicious")
OR dest_country NOT IN LOOKUP("APPROVED_EGRESS_COUNTRIES")
)
AND proxy_action IN ("allowed","proxied","connected")
CORRELATION:
suspicious_config_submission NEAR (
suspicious_user_context
OR privileged_jenkins_path
OR rare_controller_egress
)
BY backend_host
WITHIN 60 minutes
OUTPUT:
backend_host
source_ip
x_forwarded_for
authenticated_user
x_forwarded_user
user_agent
uri_path
http_method
http_status
jenkins_crumb_result
dest_domain
dest_ip
first_seen
last_seen
SentinelOne
Detection Viability Assessment
Production-deployable where SentinelOne covers Jenkins controllers and captures process creation, parent process, command line, process user, file access, file modification, and network telemetry. This rule is strongest on self-managed Jenkins controllers, dedicated Jenkins VMs, and container hosts where Jenkins controller processes can be separated from normal build-agent execution.
Rule
Jenkins Controller Service Context Execution With Sensitive Path or Egress Behavior
Rule Format
SentinelOne Deep Visibility query pattern for Jenkins controller host behavior requiring local field validation.
Detection Purpose
Detect suspicious Jenkins controller-side process execution, sensitive Jenkins file access, or outbound tooling from the Jenkins service context that may indicate Script Console execution, malicious job execution, controller compromise, or post-exploitation activity following configuration abuse.
Detection Logic
Trigger when a Jenkins controller records shell, scripting, transfer, archive, remote-access, credential-access, or encoding-related process execution from the Jenkins service account, Jenkins Java process tree, Jenkins controller service wrapper, or containerized Jenkins controller process.
Assign medium severity for suspicious Jenkins service-context process execution.
Assign high severity when process execution includes outbound transfer tools, encoded command execution, interactive shell behavior, sensitive Jenkins file access, credential file access, plugin modification, or execution outside approved job patterns.
Promote to critical when correlated with Jenkins Script Console access, config.xml submission activity, credential-store access, plugin modification, job reconfiguration, rare egress, artifact publication, cloud deployment, Kubernetes activity, source-code activity, or production deployment activity.
Required Telemetry
SentinelOne process telemetry.
SentinelOne command-line telemetry.
SentinelOne parent process telemetry.
SentinelOne file telemetry.
SentinelOne network telemetry.
Jenkins controller endpoint group.
Jenkins service account mapping.
Approved Jenkins build-command lookup.
Approved Jenkins maintenance-window lookup.
Approved Jenkins deployment-automation lookup.
Approved Jenkins plugin-maintenance lookup.
Engineering Implementation Instructions
Map EndpointName, EndpointId, AgentUuid, ProcessName, ProcessImagePath, ParentProcessName, ParentProcessImagePath, ProcessUser, CmdLine, FilePath, FileEventType, DstIp, DstPort, DstDomain, and EventTime.
Create ENV_JENKINS_CONTROLLERS and ENV_JENKINS_SERVICE_USERS.
Validate local Jenkins process names, including java, java.exe, jenkins, jenkins.exe, jenkins.war, winstone, wrapper.exe, container runtime parent processes, and systemd service paths.
Create exceptions for approved build commands, backup scripts, maintenance scripts, plugin update scripts, release deployment tooling, and vulnerability validation workflows.
Run in hunt mode before alert mode to baseline normal Jenkins job execution on controllers.
Treat endpoint grouping, service-account mapping, approved command exceptions, maintenance-window suppression, plugin-maintenance suppression, and alert routing as required local deployment work.
DRI Assessment
High where Jenkins controllers have SentinelOne coverage with process lineage, command-line, file, and network telemetry enabled.
DRI
8.9 / 10
TCR Assessment
Strong for suspicious controller-side execution when scoped to Jenkins controllers. Strongest when correlated with Jenkins audit logs, reverse-proxy activity, sensitive file access, or rare egress.
Operational TCR
8.4 / 10
Full-Telemetry TCR
9.4 / 10
Limitations
Legitimate Jenkins jobs may execute shell interpreters, build tools, transfer utilities, archive utilities, and deployment commands. This rule must be scoped to Jenkins controllers and tuned against approved job patterns before alert-mode deployment. Build-agent behavior should be covered by a separate agent-scoped rule if needed.
Detection Query Pattern
SentinelOne Deep Visibility pattern with local field mapping required:
EndpointName IN ENV_JENKINS_CONTROLLERS
AND (
ProcessUser IN ENV_JENKINS_SERVICE_USERS
OR SrcProcName IN ("java","java.exe","jenkins","jenkins.exe","winstone","wrapper.exe")
OR SrcProcCmdLine CONTAINS "jenkins.war"
)
AND TgtProcName IN (
"sh","bash","dash","zsh","cmd.exe","powershell.exe","pwsh.exe",
"python","python3","perl","ruby","groovy","curl","wget","nc","ncat",
"socat","ssh","scp","tar","zip","7z","openssl","certutil.exe","bitsadmin.exe"
)
AND CmdLine NOT IN LOOKUP("APPROVED_JENKINS_BUILD_COMMAND_PATTERNS")
AND CmdLine NOT IN LOOKUP("APPROVED_JENKINS_DEPLOYMENT_COMMAND_PATTERNS")
AND EventTime NOT IN LOOKUP("APPROVED_JENKINS_MAINTENANCE_WINDOWS")
AND (
CmdLine CONTAINS "curl "
OR CmdLine CONTAINS "wget "
OR CmdLine CONTAINS "powershell -enc"
OR CmdLine CONTAINS "FromBase64String"
OR CmdLine CONTAINS "bash -c"
OR CmdLine CONTAINS "/bin/sh -c"
OR CmdLine CONTAINS "nc "
OR CmdLine CONTAINS "ncat "
OR CmdLine CONTAINS "credentials.xml"
OR CmdLine CONTAINS "/var/lib/jenkins/secrets"
OR CmdLine CONTAINS "/var/lib/jenkins/jobs/"
OR CmdLine CONTAINS "/var/lib/jenkins/plugins/"
OR CmdLine CONTAINS "C:\\ProgramData\\Jenkins\\.jenkins\\secrets"
OR CmdLine CONTAINS "C:\\ProgramData\\Jenkins\\.jenkins\\jobs"
OR CmdLine CONTAINS "C:\\ProgramData\\Jenkins\\.jenkins\\plugins"
OR DstDomain NOT IN LOOKUP("APPROVED_JENKINS_EGRESS_DESTINATIONS")
)
OUTPUT:
EndpointName
ProcessUser
SrcProcName
TgtProcName
CmdLine
ParentProcessName
FilePath
FileEventType
DstIp
DstDomain
EventTime
Splunk
Detection Viability Assessment
Production-deployable where Splunk ingests Jenkins audit logs, reverse-proxy or WAF logs, endpoint process and file telemetry, DNS/proxy logs, source-code logs, artifact repository logs, and cloud or Kubernetes logs where Jenkins has downstream access.
Rule
Jenkins Config XML Submission Followed by Script Console Credential or Controller Execution
Rule Format
Splunk SPL production correlation search with local index, sourcetype, macro, and lookup mapping.
Detection Purpose
Detect suspicious Jenkins config.xml or job configuration submission followed by privileged Jenkins activity, Script Console access, credential access, plugin or job modification, controller-side execution, sensitive Jenkins file activity, rare egress, or downstream CI/CD activity.
Detection Logic
Trigger when suspicious Jenkins configuration-path activity occurs and is followed within 60 minutes by one or more privileged Jenkins control-plane signals or Jenkins controller host signals.
Assign high severity when suspicious configuration submission aligns with Script Console access, credential access, API token creation, job reconfiguration, plugin change, Jenkins service-account process execution, sensitive Jenkins file access, unusual authenticated-user context, or rare controller egress.
Promote to critical when downstream artifact publication, source-code activity, cloud deployment, Kubernetes activity, or production deployment activity occurs using Jenkins-linked identity outside an approved release window.
Required Telemetry
Jenkins audit logs.
Jenkins access logs where available.
Reverse-proxy logs.
WAF logs.
Endpoint process logs.
Endpoint file logs.
DNS logs.
Proxy logs.
Source-code repository logs.
Artifact repository logs.
Cloud audit logs where applicable.
Kubernetes audit logs where applicable.
Approved Jenkins administrator lookup.
Approved Jenkins service-account lookup.
Approved maintenance-window lookup.
Approved release-window lookup.
Approved egress-destination lookup.
Approved Jenkins job lookup.
Approved Jenkins plugin lookup.
Engineering Implementation Instructions
Map indexes and sourcetypes for Jenkins audit logs, Jenkins access logs, proxy/WAF logs, EDR process logs, EDR file logs, DNS/proxy logs, source-code logs, artifact logs, cloud logs, and Kubernetes logs.
Normalize jenkins_controller, username, jenkins_action, role, uri_path, http_method, src_ip, x_forwarded_for, x_forwarded_user, authenticated_user, jenkins_crumb_result, user_agent, job_name, plugin_name, credential_id, process_name, parent_process_name, process_user, command_line, file_path, dest_domain, artifact_path, cloud_account, cluster_name, deployment_target, and _time.
Create lookups for approved administrators, approved admin sources, approved scanners, approved service accounts, approved maintenance windows, approved release windows, approved plugins, approved jobs, approved command patterns, approved egress destinations, Jenkins-linked cloud identities, Jenkins-linked Kubernetes service accounts, and Jenkins-linked artifact identities.
Create Splunk macros for local field normalization and maintenance-window evaluation before alert-mode deployment.
Validate that Jenkins controller host identity can join web, audit, endpoint, DNS/proxy, artifact, and cloud/Kubernetes events.
Run in hunt mode against at least 14 to 30 days of history to tune approved release activity, plugin maintenance, backup jobs, build automation, and administrative workflows.
Treat local index mapping, field normalization, lookup creation, join validation, false-positive baseline, macro creation, and SOC workflow routing as required local deployment work.
DRI Assessment
High where Splunk can join Jenkins web, audit, endpoint, network, artifact, and downstream deployment telemetry by controller, user, service account, job, and time window.
DRI
9.1 / 10
TCR Assessment
High when configuration submission is followed by privileged Jenkins behavior and controller host activity. Highest when downstream artifact or deployment telemetry is included.
Operational TCR
8.7 / 10
Full-Telemetry TCR
9.5 / 10
Limitations
Effectiveness depends on local field normalization and Jenkins audit quality. Legitimate administrative automation may require exceptions. Critical promotion requires downstream artifact, cloud, Kubernetes, or deployment telemetry.
Detection Query Pattern
Splunk SPL pattern requiring local lookup, macro, index, and sourcetype mapping:
(
search index=ENV_WEB_INDEX sourcetype=ENV_REVERSE_PROXY_OR_WAF_SOURCETYPE
dest_host IN ASSET_GROUP("jenkins_controllers")
http_method="POST"
(
uri_path="*/config.xml"
OR uri_path="*/createItem*"
OR uri_path="*/doCreateItem*"
OR uri_path="*/doConfigSubmit*"
OR uri_path="*/submitDescription*"
)
NOT [ | inputlookup APPROVED_JENKINS_ADMIN_SOURCES | fields src_ip ]
NOT [ | inputlookup APPROVED_JENKINS_SCANNERS | fields src_ip ]
| eval normalized_controller=coalesce(dest_host,backend_host,host)
| eval normalized_user=coalesce(authenticated_user,x_forwarded_user,username)
| eval signal="suspicious_config_submission"
| table _time normalized_controller normalized_user src_ip x_forwarded_for user_agent uri_path http_method status jenkins_crumb_result signal
)
| append [
search index=ENV_JENKINS_AUDIT_INDEX sourcetype=ENV_JENKINS_AUDIT_SOURCETYPE
jenkins_action IN ("script_console_access","scriptText_execute","credential_read","credential_update","api_token_create","job_config_update","plugin_install","plugin_update","plugin_disable","user_impersonation","admin_login","node_config_update","security_realm_update")
| eval normalized_controller=coalesce(jenkins_controller,host)
| eval normalized_user=coalesce(username,user)
| eval signal=jenkins_action
| table _time normalized_controller normalized_user src_ip job_name plugin_name credential_id jenkins_action signal
]
| append [
search index=ENV_EDR_PROCESS_INDEX sourcetype=ENV_EDR_PROCESS_SOURCETYPE
host IN ASSET_GROUP("jenkins_controllers")
(
process_user IN [ | inputlookup JENKINS_SERVICE_ACCOUNTS | fields process_user ]
OR parent_process_name IN ("java","java.exe","jenkins","jenkins.exe","winstone","wrapper.exe")
)
process_name IN ("sh","bash","dash","zsh","cmd.exe","powershell.exe","pwsh.exe","python","python3","perl","ruby","groovy","curl","wget","nc","ncat","socat","ssh","scp","tar","zip","7z","openssl","certutil.exe","bitsadmin.exe")
NOT [ | inputlookup APPROVED_JENKINS_COMMAND_PATTERNS | fields command_line ]
| eval normalized_controller=host
| eval signal="jenkins_controller_service_execution"
| table _time normalized_controller process_user process_name parent_process_name command_line signal
]
| append [
search index=ENV_EDR_FILE_INDEX sourcetype=ENV_EDR_FILE_SOURCETYPE
host IN ASSET_GROUP("jenkins_controllers")
(
file_path="*/credentials.xml"
OR file_path="*/secrets/*"
OR file_path="*/jobs/*/config.xml"
OR file_path="*/plugins/*"
OR file_path="*/users/*/config.xml"
)
event_action IN ("read","open","modify","create","rename","write")
| eval normalized_controller=host
| eval signal="sensitive_jenkins_file_activity"
| table _time normalized_controller file_path event_action process_name process_user signal
]
| append [
search index=ENV_DNS_OR_PROXY_INDEX
src_host IN ASSET_GROUP("jenkins_controllers")
NOT [ | inputlookup APPROVED_JENKINS_EGRESS_DESTINATIONS | fields dest_domain ]
NOT [ | inputlookup APPROVED_BUSINESS_DOMAINS | fields dest_domain ]
| eval normalized_controller=src_host
| eval signal="rare_jenkins_controller_egress"
| table _time normalized_controller dest_domain dest_ip signal
]
| bin _time span=60m
| stats
values(signal) as signals
values(src_ip) as src_ips
values(x_forwarded_for) as x_forwarded_for
values(user_agent) as user_agents
values(uri_path) as uri_paths
values(normalized_user) as users
values(jenkins_crumb_result) as crumb_results
values(job_name) as jobs
values(plugin_name) as plugins
values(credential_id) as credentials
values(process_name) as processes
values(parent_process_name) as parent_processes
values(command_line) as command_lines
values(file_path) as file_paths
values(dest_domain) as dest_domains
min(_time) as first_seen
max(_time) as last_seen
by normalized_controller _time
| eval has_config=if(mvfind(signals,"suspicious_config_submission")>=0,1,0)
| eval has_privileged=if(
mvfind(signals,"script_console_access")>=0
OR mvfind(signals,"scriptText_execute")>=0
OR mvfind(signals,"credential_read")>=0
OR mvfind(signals,"credential_update")>=0
OR mvfind(signals,"api_token_create")>=0
OR mvfind(signals,"job_config_update")>=0
OR mvfind(signals,"plugin_install")>=0
OR mvfind(signals,"plugin_update")>=0
OR mvfind(signals,"plugin_disable")>=0
OR mvfind(signals,"user_impersonation")>=0
OR mvfind(signals,"node_config_update")>=0
OR mvfind(signals,"security_realm_update")>=0
OR mvfind(signals,"jenkins_controller_service_execution")>=0
OR mvfind(signals,"sensitive_jenkins_file_activity")>=0
OR mvfind(signals,"rare_jenkins_controller_egress")>=0,
1,0
)
| where has_config=1 AND has_privileged=1
| lookup APPROVED_JENKINS_MAINTENANCE_WINDOWS normalized_controller OUTPUT in_maintenance
| where isnull(in_maintenance)
| eval severity="high"
| eval cyberdax_rule="Jenkins Config XML Submission Followed by Script Console Credential or Controller Execution"
| table first_seen last_seen normalized_controller severity signals src_ips x_forwarded_for users crumb_results user_agents uri_paths jobs plugins credentials processes parent_processes command_lines file_paths dest_domains cyberdax_rule
Elastic
Detection Viability Assessment
Production-deployable where Elastic has Jenkins audit events, reverse-proxy or WAF events, endpoint process and file events, DNS/proxy events, and enrichment linking Jenkins controller identity to host identity. Exception logic must be implemented using Elastic exception lists, value lists, event filters, or equivalent local rule exceptions.
Rule
Jenkins Config XML Request to Privileged Controller Activity Sequence
Rule Format
Elastic EQL production sequence with Elastic exception lists, value lists, and local ECS mapping.
Detection Purpose
Detect suspicious Jenkins configuration-path activity followed by privileged Jenkins actions, controller-side execution, sensitive Jenkins file activity, or rare outbound communication.
Detection Logic
Trigger when a suspicious Jenkins configuration-path request is followed within 60 minutes by Script Console access, credential access, job or plugin changes, Jenkins service-account process execution, sensitive Jenkins file activity, or rare-destination network activity.
Assign high severity when the sequence occurs on a production Jenkins controller outside approved maintenance.
Promote to critical when the same controller, Jenkins user, Jenkins service account, job, artifact identity, cloud identity, or release workflow is tied to artifact publication, cloud deployment, Kubernetes activity, or production deployment outside approved release windows.
Required Telemetry
Reverse-proxy events.
WAF events.
Jenkins audit events.
Endpoint process events.
Endpoint file events.
DNS or proxy events.
Jenkins controller asset enrichment.
Elastic value list for Jenkins controllers.
Elastic value list for approved Jenkins administrator sources.
Elastic value list for approved scanners.
Elastic value list for approved Jenkins service accounts.
Elastic value list for approved egress destinations.
Elastic exception list for approved maintenance windows.
Elastic exception list for approved command patterns.
Engineering Implementation Instructions
Map event.dataset, url.path, http.request.method, source.ip, user_agent.original, host.name, jenkins.controller.id, jenkins.user.name, jenkins.action, jenkins.job.name, jenkins.plugin.name, jenkins.credential.id, process.name, process.command_line, process.parent.name, user.name, file.path, event.action, destination.domain, and @timestamp.
Create Elastic value lists for Jenkins controllers, approved Jenkins administrator CIDRs, approved scanners, approved Jenkins service accounts, approved egress destinations, approved plugins, and approved jobs.
Create Elastic exception rules for approved maintenance windows and approved command patterns if local Elastic licensing or rule design supports exception-based suppression.
If Elastic cannot express a maintenance-window exception directly in EQL, implement maintenance-window suppression through rule exceptions, alert suppression, post-processing, or detection-engineering workflow logic.
Validate join keys between proxy/WAF events, Jenkins audit events, endpoint events, and DNS/proxy events before alert mode.
Treat local ECS mapping, value-list creation, exception-list creation, join-key validation, alert severity tuning, historical baselining, and rule-action routing as required local deployment work.
DRI Assessment
High where Jenkins web, audit, endpoint, and network events share reliable controller identity.
DRI
8.8 / 10
TCR Assessment
Strong when suspicious Jenkins configuration request is followed by privileged Jenkins behavior or endpoint execution. Weaker where Jenkins audit events are absent.
Operational TCR
8.3 / 10
Full-Telemetry TCR
9.3 / 10
Limitations
EQL sequence quality depends on reliable join keys. Jenkins audit events may require custom ingestion. Legitimate automation must be exceptioned. Critical promotion requires downstream artifact or deployment correlation. Maintenance-window suppression may require rule exceptions or post-detection suppression depending on local Elastic capabilities.
Detection Query Pattern
Elastic EQL sequence pattern with value-list and exception-list placeholders requiring local implementation:
sequence by host.name with maxspan=60m
[ any where
event.dataset in ("ENV_REVERSE_PROXY_DATASET","ENV_WAF_DATASET","ENV_WEB_ACCESS_DATASET") and
http.request.method == "POST" and
(
wildcard(url.path, "*/config.xml") or
wildcard(url.path, "*/createItem*") or
wildcard(url.path, "*/doCreateItem*") or
wildcard(url.path, "*/doConfigSubmit*") or
wildcard(url.path, "*/submitDescription*")
) and
not source.ip in $APPROVED_JENKINS_ADMIN_SOURCES and
not source.ip in $APPROVED_JENKINS_SCANNERS
]
[ any where
(
event.dataset == "ENV_JENKINS_AUDIT_DATASET" and
jenkins.action in (
"script_console_access",
"scriptText_execute",
"credential_read",
"credential_update",
"api_token_create",
"job_config_update",
"plugin_install",
"plugin_update",
"plugin_disable",
"user_impersonation",
"node_config_update",
"security_realm_update"
)
)
or
(
event.category == "process" and
host.name in $JENKINS_CONTROLLERS and
(
user.name in $JENKINS_SERVICE_ACCOUNTS or
process.parent.name in ("java","java.exe","jenkins","jenkins.exe","winstone","wrapper.exe")
) and
process.name in ("sh","bash","dash","zsh","cmd.exe","powershell.exe","pwsh.exe","python","python3","perl","ruby","groovy","curl","wget","nc","ncat","socat","ssh","scp","tar","zip","7z","openssl","certutil.exe","bitsadmin.exe") and
not process.command_line in $APPROVED_JENKINS_COMMAND_PATTERNS
)
or
(
event.category == "file" and
host.name in $JENKINS_CONTROLLERS and
(
wildcard(file.path, "*/credentials.xml") or
wildcard(file.path, "*/secrets/*") or
wildcard(file.path, "*/jobs/*/config.xml") or
wildcard(file.path, "*/plugins/*") or
wildcard(file.path, "*/users/*/config.xml")
) and
event.action in ("open","read","modification","creation","rename","write")
)
or
(
event.category == "network" and
host.name in $JENKINS_CONTROLLERS and
not destination.domain in $APPROVED_JENKINS_EGRESS_DESTINATIONS
)
]
until
[ any where
event.dataset == "ENV_CHANGE_CONTROL_DATASET" and
event.action in ("approved_jenkins_maintenance_start","approved_release_window_start")
]
QRadar
Detection Viability Assessment
Production-deployable where QRadar parses Jenkins audit logs, reverse-proxy or WAF logs, EDR logs, DNS/proxy logs, source-code logs, artifact logs, and cloud/Kubernetes logs into reliable custom properties. This should be implemented as building blocks with an offense rule. The AQL patterns below are validation searches for building-block logic, not three separate standalone production alerts.
Rule
Jenkins Config XML Abuse With Privileged Controller Activity Offense
Rule Format
QRadar building-block and offense-rule implementation pattern with AQL validation searches.
Detection Purpose
Correlate suspicious Jenkins configuration-path activity with privileged Jenkins actions, controller-side process execution, sensitive Jenkins file access, rare egress, or downstream deployment activity.
Detection Logic
Trigger building block one when a Jenkins controller receives suspicious POST activity to config.xml, createItem, doCreateItem, doConfigSubmit, or related job configuration paths.
Trigger building block two when Jenkins audit telemetry shows Script Console access, credential access, API token changes, job configuration changes, plugin changes, node changes, security realm changes, or user impersonation.
Trigger building block three when endpoint or network telemetry shows Jenkins service-account process execution, sensitive Jenkins file activity, or rare controller egress.
Create a high-severity offense when building block one and either building block two or building block three occur on the same Jenkins controller within 60 minutes.
Promote to critical when artifact publication, cloud deployment, Kubernetes activity, source-code activity, or production deployment activity occurs with Jenkins-linked identity within 120 minutes.
Required Telemetry
Jenkins audit logs.
Reverse-proxy logs.
WAF logs.
Endpoint process logs.
Endpoint file logs.
DNS logs.
Proxy logs.
Artifact repository logs where applicable.
Cloud audit logs where applicable.
Kubernetes audit logs where applicable.
Jenkins controller reference set.
Approved administrator reference set.
Approved scanner reference set.
Approved maintenance-window reference set.
Approved egress-destination reference set.
Approved Jenkins service-account reference set.
Engineering Implementation Instructions
Create custom properties for JENKINS_CONTROLLER, URLPATH, HTTP_METHOD, SOURCEIP, USERNAME, JENKINS_ACTION, JOB_NAME, PLUGIN_NAME, CREDENTIAL_ID, PROCESSNAME, COMMANDLINE, FILEPATH, DESTINATIONDOMAIN, ARTIFACT_PATH, CLOUD_ACCOUNT, CLUSTER_NAME, and DEPLOYMENT_TARGET.
Create reference sets for Jenkins controllers, approved administrators, approved admin sources, approved scanners, approved maintenance windows, approved release windows, approved plugins, approved jobs, approved command patterns, approved egress destinations, and Jenkins service accounts.
Validate DSM parsing for each log source before enabling offense correlation.
Test each building block independently with historical data.
Treat DSM parsing, custom property creation, reference-set loading, building-block validation, offense magnitude, ownership routing, and suppression workflow as required local deployment work.
DRI Assessment
Moderate to high where QRadar custom properties and reference sets are reliable.
DRI
8.3 / 10
TCR Assessment
Strong when Jenkins configuration-path activity, privileged Jenkins actions, and controller host behavior can be joined by controller identity. Lower when Jenkins audit parsing is incomplete.
Operational TCR
8.0 / 10
Full-Telemetry TCR
9.1 / 10
Limitations
QRadar effectiveness depends on DSM parsing quality, custom property accuracy, reference-set hygiene, and offense-rule correlation. Weak URI parsing or missing Jenkins audit logs will materially reduce confidence.
Detection Query Pattern
QRadar building-block validation searches and offense logic:
BUILDING BLOCK ONE VALIDATION SEARCH:
SELECT QIDNAME(qid) AS event_name, JENKINS_CONTROLLER, URLPATH, HTTP_METHOD, SOURCEIP, USERNAME, starttime
FROM events
WHERE REFERENCESETCONTAINS('ENV_JENKINS_CONTROLLERS', JENKINS_CONTROLLER)
AND HTTP_METHOD = 'POST'
AND (
LOWER(URLPATH) LIKE '%/config.xml'
OR LOWER(URLPATH) LIKE '%/createitem%'
OR LOWER(URLPATH) LIKE '%/docreateitem%'
OR LOWER(URLPATH) LIKE '%/doconfigsubmit%'
OR LOWER(URLPATH) LIKE '%/submitdescription%'
)
AND NOT REFERENCESETCONTAINS('ENV_APPROVED_JENKINS_ADMIN_SOURCES', SOURCEIP)
AND NOT REFERENCESETCONTAINS('ENV_APPROVED_JENKINS_SCANNERS', SOURCEIP)
LAST 60 MINUTES
BUILDING BLOCK TWO VALIDATION SEARCH:
SELECT QIDNAME(qid) AS event_name, JENKINS_CONTROLLER, USERNAME, JENKINS_ACTION, JOB_NAME, PLUGIN_NAME, CREDENTIAL_ID, starttime
FROM events
WHERE REFERENCESETCONTAINS('ENV_JENKINS_CONTROLLERS', JENKINS_CONTROLLER)
AND JENKINS_ACTION IN (
'script_console_access',
'scriptText_execute',
'credential_read',
'credential_update',
'api_token_create',
'job_config_update',
'plugin_install',
'plugin_update',
'plugin_disable',
'user_impersonation',
'node_config_update',
'security_realm_update'
)
LAST 60 MINUTES
BUILDING BLOCK THREE VALIDATION SEARCH:
SELECT QIDNAME(qid) AS event_name, JENKINS_CONTROLLER, PROCESSNAME, COMMANDLINE, FILEPATH, DESTINATIONDOMAIN, starttime
FROM events
WHERE REFERENCESETCONTAINS('ENV_JENKINS_CONTROLLERS', JENKINS_CONTROLLER)
AND (
PROCESSNAME IN ('sh','bash','dash','zsh','cmd.exe','powershell.exe','pwsh.exe','python','python3','perl','ruby','groovy','curl','wget','nc','ncat','ssh','scp','certutil.exe','bitsadmin.exe')
OR LOWER(FILEPATH) LIKE '%/credentials.xml'
OR LOWER(FILEPATH) LIKE '%/secrets/%'
OR LOWER(FILEPATH) LIKE '%/jobs/%/config.xml'
OR LOWER(FILEPATH) LIKE '%/users/%/config.xml'
OR NOT REFERENCESETCONTAINS('ENV_APPROVED_JENKINS_EGRESS_DESTINATIONS', DESTINATIONDOMAIN)
)
LAST 60 MINUTES
OFFENSE RULE CONDITION:
Building block one and either building block two or building block three occur on the same JENKINS_CONTROLLER within 60 minutes outside approved maintenance.
CRITICAL PROMOTION CONDITION:
Artifact, cloud, Kubernetes, source-code, or production deployment activity occurs with a Jenkins-linked identity within 120 minutes of the high-severity offense.
SIGMA
Detection Viability Assessment
Production-deployable after conversion and local enrichment where endpoint process telemetry is collected from Jenkins controllers. SIGMA is appropriate for portable host detection of suspicious Jenkins service-context execution and should be promoted through the target SIEM only when joined with Jenkins audit or web telemetry.
Rule
Jenkins Controller Suspicious Service Context Execution
Rule Format
SIGMA portable process-creation rule requiring target-SIEM conversion, Jenkins host enrichment, and local exception logic.
Detection Purpose
Detect suspicious shell, scripting, transfer, remote-access, archive, encoding, or credential-related process execution from Jenkins controller service context.
Detection Logic
Trigger when a Jenkins parent process or Jenkins service account spawns suspicious interpreters, transfer tools, remote-access tools, encoded PowerShell, shell wrappers, archive utilities, or credential-access commands on a Jenkins controller.
Assign medium severity for standalone converted rule matches.
Promote to high severity in the target SIEM when correlated with Jenkins config.xml activity, Script Console access, credential access, job changes, plugin changes, sensitive file reads, or rare egress.
Required Telemetry
Process creation telemetry.
Command-line telemetry.
Parent process telemetry.
User field.
Host asset enrichment.
Jenkins service account enrichment.
Approved Jenkins command-pattern exceptions.
Approved Jenkins maintenance-window exceptions.
Engineering Implementation Instructions
Convert to the target SIEM.
Map Image, ParentImage, CommandLine, User, Hostname, CurrentDirectory, EventID, and process creation timestamp.
Add Jenkins controller asset enrichment after conversion.
Add approved Jenkins build-command, deployment-command, backup-command, plugin-maintenance, and release-window exceptions after conversion.
Do not deploy as high or critical severity without correlation logic in the target SIEM.
Treat target-SIEM conversion, field mapping, host enrichment, exception logic, and correlation-layer promotion as required local deployment work.
DRI Assessment
Medium to high after conversion and Jenkins controller enrichment.
DRI
8.2 / 10
TCR Assessment
Good for portable endpoint detection. Stronger when joined with Jenkins audit, reverse-proxy, WAF, DNS, or proxy telemetry.
Operational TCR
7.8 / 10
Full-Telemetry TCR
8.9 / 10
Limitations
Legitimate Jenkins builds often execute shells, scripts, transfer tools, archive tools, and deployment utilities. Host scoping and approved job exceptions are required.
Detection Query Pattern
SIGMA rule requiring target-SIEM conversion and local exception enrichment:
title: Jenkins Controller Suspicious Service Context Execution
id: ENV-GENERATE-LOCAL-ID-JENKINS-CONTROLLER-SERVICE-EXECUTION
status: stable
description: Detects suspicious shell, scripting, transfer, archive, remote-access, or credential-related execution from Jenkins controller service context.
logsource:
category: process_creation
detection:
selection_parent_linux:
ParentImage|contains:
- '/jenkins'
- '/java'
- 'jenkins.war'
- '/winstone'
selection_parent_windows:
ParentImage|contains:
- '\jenkins'
- '\java.exe'
- 'jenkins.war'
- '\wrapper.exe'
selection_user:
User|contains:
- 'jenkins'
- 'svc-jenkins'
- 'ENV_JENKINS_SERVICE_USER'
selection_process_linux:
Image|endswith:
- '/sh'
- '/bash'
- '/dash'
- '/zsh'
- '/python'
- '/python3'
- '/perl'
- '/ruby'
- '/groovy'
- '/curl'
- '/wget'
- '/nc'
- '/ncat'
- '/socat'
- '/ssh'
- '/scp'
- '/tar'
- '/zip'
- '/7z'
- '/openssl'
selection_process_windows:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\curl.exe'
- '\wget.exe'
- '\ssh.exe'
- '\scp.exe'
- '\tar.exe'
- '\7z.exe'
selection_suspicious_command:
CommandLine|contains:
- 'credentials.xml'
- '/secrets/'
- '\secrets\'
- '/jobs/'
- '\jobs\'
- '/plugins/'
- '\plugins\'
- 'powershell -enc'
- 'FromBase64String'
- 'curl '
- 'wget '
- 'nc '
- 'ncat '
- 'bash -c'
- '/bin/sh -c'
condition: (selection_process_linux or selection_process_windows) and (selection_parent_linux or selection_parent_windows or selection_user) and selection_suspicious_command
fields:
- Hostname
- User
- ParentImage
- Image
- CommandLine
- CurrentDirectory
falsepositives:
- Approved Jenkins build jobs
- Approved deployment jobs
- Approved backup jobs
- Approved plugin maintenance
- Approved administrative scripts
level: medium
YARA
Detection Viability Assessment
Limited but production-usable for artifact triage. YARA should not be treated as primary detection for Jenkins deserialization exploitation. It is viable for identifying suspicious Groovy, job configuration, plugin, shared-library, or workspace artifacts that may support persistence, credential access, process execution, or outbound staging after Jenkins controller compromise.
Rule
Jenkins Suspicious Groovy Credential Access or Process Execution Artifact
Rule Format
YARA artifact-scanning rule for Jenkins home, job configs, plugin directories, shared libraries, workspace artifacts, and forensic exports.
Detection Purpose
Detect suspicious Jenkins artifacts containing combinations of Jenkins Groovy access, credential-provider access, process execution, shell invocation, outbound transfer, or encoded payload behavior.
Detection Logic
Trigger when files under Jenkins home, job configuration exports, plugin directories, shared libraries, or suspicious workspace artifacts contain combinations of Jenkins object access, Groovy or Java process execution, credential-provider access, outbound network functions, shell invocation, or encoding behavior.
Assign medium severity for standalone matches.
Promote to high severity when the matched file is newly created, modified outside maintenance, associated with an unapproved job, unapproved plugin, unapproved shared library, suspicious workspace artifact, or correlated with suspicious Jenkins audit, web, endpoint, or egress telemetry.
Do not use this YARA rule as a standalone proof of compromise. Treat it as an artifact-triage accelerator that requires path, timestamp, owner, inventory, and telemetry correlation.
Required Telemetry
Jenkins home file exports.
Job configuration backups.
Plugin directory exports.
Shared-library repository content.
Workspace artifact exports.
File modification timestamps.
Approved Jenkins job inventory.
Approved Jenkins plugin inventory.
Approved Jenkins shared-library inventory.
Approved maintenance-window records.
Forensic collection workflow.
Engineering Implementation Instructions
Use this rule in controlled scanning workflows and forensic triage, not as primary live exploit detection.
Scan Jenkins home backups, job config exports, plugin directories, shared libraries, suspicious workspace artifacts, and forensic images.
Tune approved Groovy administration scripts, known shared libraries, plugin source paths, normal credential-helper code, and expected build tooling before alerting.
Correlate YARA hits with Jenkins audit logs, endpoint telemetry, job ownership, plugin inventory, shared-library ownership, change records, suspicious web activity, and file modification time.
Treat file collection, scanner integration, path scoping, approved-script exceptions, timestamp review, owner validation, and triage routing as required local deployment work.
DRI Assessment
Moderate for artifact review and persistence triage. Low for live runtime exploit detection.
DRI
7.0 / 10
TCR Assessment
Useful when matched artifacts are newly created, unapproved, or correlated with suspicious Jenkins behavior. Not sufficient as standalone proof of compromise.
Operational TCR
6.7 / 10
Full-Telemetry TCR
8.2 / 10
Limitations
YARA cannot reliably detect network exploitation or runtime deserialization without recoverable artifacts. Legitimate Jenkins administration and shared libraries may use Groovy, HTTP clients, credential providers, and process execution.
Detection Query Pattern
YARA artifact-scanning rule:
rule Jenkins_Suspicious_Groovy_Credential_Access_Or_Process_Execution_Artifact
{
meta:
description = "Detects suspicious Jenkins Groovy, job, plugin, or shared-library artifacts containing Jenkins credential access, process execution, shell invocation, or outbound staging behavior"
author = "CyberDax"
scope = "Jenkins home, job configs, plugins, shared libraries, workspace artifacts, forensic exports"
severity = "medium"
strings:
$jenkins_1 = "Jenkins.instance" ascii wide
$jenkins_2 = "hudson.model.Hudson.instance" ascii wide
$jenkins_3 = "jenkins.model.Jenkins.getInstance" ascii wide
$cred_1 = "com.cloudbees.plugins.credentials" ascii wide
$cred_2 = "CredentialsProvider.lookupCredentials" ascii wide
$cred_3 = "SystemCredentialsProvider" ascii wide
$proc_1 = "ProcessBuilder" ascii wide
$proc_2 = "getRuntime().exec" ascii wide
$proc_3 = ".execute()" ascii wide
$shell_1 = "/bin/bash" ascii wide
$shell_2 = "/bin/sh" ascii wide
$shell_3 = "cmd.exe" ascii wide
$shell_4 = "powershell" ascii wide
$net_1 = "new URL(" ascii wide
$net_2 = "openConnection()" ascii wide
$net_3 = "curl " ascii wide
$net_4 = "wget " ascii wide
$enc_1 = "Base64.decoder" ascii wide
$enc_2 = "decodeBase64" ascii wide
$enc_3 = "FromBase64String" ascii wide
condition:
filesize < 5MB and
(
(1 of ($jenkins_*) and 1 of ($cred_*) and 1 of ($proc_*)) or
(1 of ($jenkins_*) and 1 of ($cred_*) and 1 of ($net_*)) or
(1 of ($jenkins_*) and 1 of ($proc_*) and 1 of ($shell_*)) or
(1 of ($proc_*) and 1 of ($shell_*) and 1 of ($net_*)) or
(1 of ($enc_*) and 1 of ($proc_*) and 1 of ($shell_*))
)
}
AWS
Detection Viability Assessment
Production-deployable only when Jenkins is hosted on AWS and AWS telemetry can be joined with Jenkins application-layer logs, endpoint telemetry, Jenkins controller asset mapping, and downstream cloud activity. AWS control-plane logs alone are not sufficient to detect Jenkins deserialization or controller-side behavior.
Rule
AWS Hosted Jenkins Config Abuse With Linked IAM Secret Registry or Deployment Activity
Rule Format
AWS Athena / CloudTrail / ALB / WAF / Route 53 / VPC Flow correlation pattern requiring Jenkins asset and identity mapping.
Detection Purpose
Detect AWS-hosted Jenkins controller configuration-path activity that aligns with unusual egress or Jenkins-linked IAM activity involving secrets, registry publication, infrastructure modification, Kubernetes deployment, or production-impacting actions.
Detection Logic
Trigger when an AWS-hosted Jenkins controller receives suspicious Jenkins configuration-path activity and the same controller private IP, instance ID, ECS task, EKS pod, Jenkins instance profile, Jenkins task role, or Jenkins-linked IAM principal performs rare egress or high-risk AWS API activity within 120 minutes.
Assign medium severity for rare egress from AWS-hosted Jenkins controllers.
Assign high severity when rare egress or high-risk IAM activity aligns with suspicious Jenkins configuration-path activity on a mapped Jenkins controller.
Promote to critical when Jenkins-linked identity performs Secrets Manager access, Parameter Store access, ECR image push, EKS deployment activity, IAM modification, CloudFormation update, S3 artifact manipulation, CodeDeploy action, or production infrastructure modification outside approved release windows.
Required Telemetry
AWS asset inventory.
EC2 tags.
ECS or EKS workload labels where applicable.
ALB access logs.
CloudFront logs where applicable.
AWS WAF logs.
VPC Flow Logs.
Route 53 Resolver query logs.
CloudTrail.
EDR telemetry from Jenkins controllers.
Jenkins audit logs.
Approved Jenkins IAM role lookup.
Approved Jenkins instance profile lookup.
Approved Jenkins release-window lookup.
Approved Jenkins egress-destination lookup.
Approved Jenkins controller asset lookup.
Engineering Implementation Instructions
Map Jenkins controllers to EC2 instance IDs, private IPs, ECS tasks, EKS pods, target groups, ALB targets, CloudFront distributions, WAF web ACLs, IAM roles, instance profiles, task roles, security groups, NAT gateways, and Route 53 Resolver sources.
Map Jenkins-linked IAM principals to Jenkins controller assets, jobs, deployment workflows, and production accounts wherever possible.
Validate that ALB, CloudFront, WAF, or reverse-proxy logs preserve Jenkins URI paths before enabling high severity.
Create lookups for approved Jenkins IAM roles, approved Jenkins instance profiles, approved release windows, approved deployment actions, approved egress destinations, approved production accounts, and approved Jenkins controller assets.
Do not attribute AWS-only anomalies to Jenkins compromise without Jenkins asset identity, Jenkins service account, IAM role, instance profile, job, or time-window correlation.
Treat AWS asset tagging, log-source joins, CloudTrail identity mapping, URI-log validation, endpoint correlation, identity-to-controller mapping, and release-window tuning as required local deployment work.
DRI Assessment
Moderate to high with ALB/WAF URI logs, Jenkins audit logs, EDR telemetry, Route 53 logs, VPC Flow Logs, asset mapping, and CloudTrail identity mapping.
DRI
8.0 / 10
TCR Assessment
Moderate operational confidence for AWS-only egress. High confidence when Jenkins web/audit activity joins to IAM secret, registry, infrastructure, or deployment activity linked to the affected controller.
Operational TCR
7.6 / 10
Full-Telemetry TCR
9.0 / 10
Limitations
VPC Flow Logs do not show URI paths or process context. CloudTrail does not show Jenkins local request handling. Production use requires application-layer and host telemetry. Critical severity requires a Jenkins-linked identity or controller-to-identity mapping, not time proximity alone.
Detection Query Pattern
AWS Athena / SQL-style correlation pattern requiring local table names and field validation:
WITH jenkins_controllers AS (
SELECT
controller_id,
instance_id,
private_ip,
iam_role_arn,
instance_profile_arn,
account_id
FROM ENV_AWS_JENKINS_CONTROLLERS
),
suspicious_jenkins_uri AS (
SELECT
from_unixtime(alb.time) AS event_time,
alb.target_ip,
alb.target_status_code,
alb.client_ip,
alb.request_verb,
alb.request_url,
alb.user_agent,
jc.controller_id,
jc.instance_id,
jc.iam_role_arn,
jc.instance_profile_arn,
jc.account_id,
'jenkins_config_submission' AS signal
FROM ENV_AWS_ALB_ACCESS_LOGS alb
JOIN jenkins_controllers jc
ON alb.target_ip = jc.private_ip
WHERE alb.request_verb = 'POST'
AND (
alb.request_url LIKE '%/config.xml%'
OR alb.request_url LIKE '%/createItem%'
OR alb.request_url LIKE '%/doCreateItem%'
OR alb.request_url LIKE '%/doConfigSubmit%'
OR alb.request_url LIKE '%/submitDescription%'
)
AND alb.client_ip NOT IN (SELECT source_ip FROM ENV_APPROVED_JENKINS_ADMIN_SOURCES)
AND alb.client_ip NOT IN (SELECT source_ip FROM ENV_APPROVED_JENKINS_SCANNERS)
),
rare_egress AS (
SELECT
from_unixtime(v.start) AS event_time,
v.srcaddr,
v.dstaddr,
v.dstport,
v.action,
jc.controller_id,
jc.instance_id,
'rare_jenkins_egress' AS signal
FROM ENV_AWS_VPC_FLOW_LOGS v
JOIN jenkins_controllers jc
ON v.srcaddr = jc.private_ip
WHERE v.action = 'ACCEPT'
AND v.dstaddr NOT IN (SELECT ip FROM ENV_APPROVED_JENKINS_EGRESS_DESTINATIONS)
),
high_risk_cloudtrail AS (
SELECT
c.eventtime AS event_time,
c.useridentity.arn AS principal_arn,
c.eventname,
c.eventsource,
c.awsregion,
c.sourceipaddress,
jc.controller_id,
jc.instance_id,
'jenkins_linked_aws_activity' AS signal
FROM ENV_AWS_CLOUDTRAIL c
JOIN jenkins_controllers jc
ON c.useridentity.arn = jc.iam_role_arn
OR c.useridentity.arn = jc.instance_profile_arn
WHERE c.eventname IN (
'GetSecretValue',
'PutSecretValue',
'GetParameter',
'GetParameters',
'PutParameter',
'UpdateFunctionCode',
'CreateDeployment',
'UpdateService',
'RunTask',
'PutImage',
'BatchDeleteImage',
'UpdateStack',
'CreateStack',
'DeleteStack',
'CreateAccessKey',
'AttachRolePolicy',
'PutRolePolicy',
'AssumeRole',
'PutObject',
'DeleteObject'
)
AND c.eventtime NOT BETWEEN ENV_APPROVED_RELEASE_WINDOW_START AND ENV_APPROVED_RELEASE_WINDOW_END
)
SELECT
s.event_time AS uri_time,
s.controller_id,
s.instance_id,
s.client_ip,
s.request_url,
s.user_agent,
e.dstaddr,
e.dstport,
c.principal_arn,
c.eventname,
c.eventsource,
c.awsregion
FROM suspicious_jenkins_uri s
LEFT JOIN rare_egress e
ON s.controller_id = e.controller_id
AND e.event_time BETWEEN s.event_time AND s.event_time + INTERVAL '120' MINUTE
LEFT JOIN high_risk_cloudtrail c
ON s.controller_id = c.controller_id
AND c.event_time BETWEEN s.event_time AND s.event_time + INTERVAL '120' MINUTE
WHERE e.signal IS NOT NULL OR c.signal IS NOT NULL
Azure
Detection Viability Assessment
Production-deployable only when Jenkins is hosted on Azure and Azure telemetry can be joined with Jenkins application-layer logs, endpoint telemetry, identity logs, and downstream deployment activity. Azure Activity Logs alone are not sufficient.
Rule
Azure Hosted Jenkins Config Abuse With Linked Identity Key Vault AKS or Registry Activity
Rule Format
Azure Monitor / Log Analytics KQL correlation pattern requiring Jenkins asset and identity mapping.
Detection Purpose
Detect Azure-hosted Jenkins controller configuration-path activity that aligns with rare egress or Jenkins-linked identity activity involving Key Vault, AKS, container registry, infrastructure modification, or production deployment.
Detection Logic
Trigger when an Azure-hosted Jenkins controller shows suspicious Jenkins configuration-path activity and the same controller, VM, workload, managed identity, service principal, or Jenkins-linked identity shows rare egress or high-risk Azure activity within 120 minutes.
Assign medium severity for rare egress from Azure-hosted Jenkins controllers.
Assign high severity when rare egress or high-risk Azure activity aligns with suspicious Jenkins configuration-path activity on a mapped Jenkins controller.
Promote to critical when Jenkins-linked identities access Key Vault secrets, modify AKS workloads, push container images, update production infrastructure, assign roles, or alter production resources outside approved release windows.
Required Telemetry
Application Gateway access logs.
Azure WAF logs.
Reverse-proxy logs where applicable.
Jenkins audit logs.
Defender for Endpoint telemetry from Jenkins controllers.
NSG Flow Logs.
Azure DNS or proxy logs.
Azure Activity Logs.
Microsoft Entra ID logs.
Key Vault audit logs.
AKS audit logs where applicable.
Azure Container Registry logs where applicable.
Approved Jenkins service principal lookup.
Approved Jenkins managed identity lookup.
Approved Jenkins release-window lookup.
Approved Jenkins egress-destination lookup.
Approved Jenkins controller asset lookup.
Engineering Implementation Instructions
Map Jenkins controllers to Azure VMs, VMSS instances, App Service instances, AKS workloads, private IPs, Application Gateway backend pools, WAF policies, managed identities, service principals, Key Vault access policies, container registries, and deployment targets.
Validate URI visibility in Application Gateway, WAF, reverse-proxy, or Jenkins access logs before enabling high severity.
Create approved Jenkins identity, release-window, egress-destination, resource-group, subscription, AKS cluster, Key Vault, container registry, and controller lookup tables.
Do not deploy an Azure Activity Log-only version of this rule.
Treat Azure asset mapping, identity mapping, WAF/Application Gateway field validation, endpoint telemetry joins, release-window tuning, identity-to-controller mapping, and SOC routing as required local deployment work.
DRI Assessment
Moderate with Azure-hosted Jenkins asset mapping and application-layer telemetry. Low for Azure-native control-plane-only telemetry.
DRI
7.6 / 10
TCR Assessment
Moderate operational confidence when Azure logs show suspicious downstream activity. High confidence requires Jenkins web/audit and endpoint correlation linked to the affected controller or Jenkins identity.
Operational TCR
7.3 / 10
Full-Telemetry TCR
8.8 / 10
Limitations
Azure Activity Logs do not show Jenkins request handling, Script Console use, or local process execution. Application-layer and endpoint telemetry are required for production confidence. Critical severity requires Jenkins-linked identity or controller-to-identity correlation, not time proximity alone.
Detection Query Pattern
Azure Monitor / Log Analytics KQL pattern requiring local table and field validation:
let JenkinsControllers =
externaldata(ControllerId:string, PrivateIp:string, Hostname:string, BackendPool:string, ManagedIdentity:string, ServicePrincipal:string)
["ENV_AZURE_JENKINS_CONTROLLERS_LOOKUP"];
let ApprovedAdminSources =
externaldata(SourceIp:string)
["ENV_APPROVED_JENKINS_ADMIN_SOURCES_LOOKUP"];
let ApprovedAdminSourceValues =
ApprovedAdminSources
| project SourceIp;
let ApprovedEgress =
externaldata(DestinationIp:string, DestinationDomain:string)
["ENV_APPROVED_JENKINS_EGRESS_DESTINATIONS_LOOKUP"];
let ApprovedEgressValues =
ApprovedEgress
| project DestinationIp;
let SuspiciousJenkinsUri =
AzureDiagnostics
| where Category in ("ApplicationGatewayAccessLog","ApplicationGatewayFirewallLog")
| where requestMethod_s == "POST"
| where requestUri_s has_any ("/config.xml","/createItem","/doCreateItem","/doConfigSubmit","/submitDescription")
| project
UriTime=TimeGenerated,
BackendPool=tostring(backendPoolName_s),
SourceIp=tostring(clientIP_s),
Uri=tostring(requestUri_s),
Method=tostring(requestMethod_s),
UserAgent=tostring(userAgent_s)
| join kind=inner JenkinsControllers on BackendPool
| where SourceIp !in (ApprovedAdminSourceValues);
let RareEgress =
AzureNetworkAnalytics_CL
| project
EgressTime=TimeGenerated,
PrivateIp=tostring(SrcIP_s),
DestIP=tostring(DestIP_s),
DestPort=tostring(DestPort_d),
FlowStatus=tostring(FlowStatus_s)
| join kind=inner JenkinsControllers on PrivateIp
| where FlowStatus == "Allowed"
| where DestIP !in (ApprovedEgressValues);
let HighRiskAzureActivity =
AzureActivity
| where OperationNameValue in (
"MICROSOFT.KEYVAULT/VAULTS/SECRETS/READ",
"MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE",
"MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/WRITE",
"MICROSOFT.CONTAINERREGISTRY/REGISTRIES/PUSH/WRITE",
"MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE",
"MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE",
"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
)
| project
CloudTime=TimeGenerated,
Identity=tostring(Caller),
OperationNameValue=tostring(OperationNameValue),
ResourceGroup=tostring(ResourceGroup),
SubscriptionId=tostring(SubscriptionId)
| join kind=inner JenkinsControllers on $left.Identity == $right.ServicePrincipal
| where CloudTime !between (datetime(ENV_APPROVED_RELEASE_START) .. datetime(ENV_APPROVED_RELEASE_END));
SuspiciousJenkinsUri
| join kind=leftouter RareEgress on ControllerId
| where isempty(EgressTime) or (EgressTime between (UriTime .. UriTime + 120m))
| join kind=leftouter HighRiskAzureActivity on ControllerId
| where isempty(CloudTime) or (CloudTime between (UriTime .. UriTime + 120m))
| where isnotempty(DestIP) or isnotempty(OperationNameValue)
| project
UriTime,
ControllerId,
Hostname,
SourceIp,
Uri,
UserAgent,
DestIP,
DestPort,
Identity,
OperationNameValue,
ResourceGroup,
SubscriptionId
GCP
Detection Viability Assessment
Production-deployable only when Jenkins is hosted on GCP and GCP telemetry can be joined with Jenkins application-layer logs, endpoint telemetry, workload identity, and downstream deployment activity. GCP Audit Logs alone are not sufficient.
Rule
GCP Hosted Jenkins Config Abuse With Linked Service Account Secret Artifact or GKE Activity
Rule Format
BigQuery / Cloud Logging correlation pattern requiring Jenkins asset and identity mapping.
Detection Purpose
Detect GCP-hosted Jenkins controller configuration-path activity that aligns with rare egress or Jenkins-linked service-account activity involving Secret Manager, Artifact Registry, GKE, infrastructure modification, or production deployment.
Detection Logic
Trigger when a GCP-hosted Jenkins controller shows suspicious Jenkins configuration-path activity and the same VM, GKE workload, service account, or Jenkins-linked identity shows rare egress or high-risk GCP activity within 120 minutes.
Assign medium severity for rare egress from GCP-hosted Jenkins controllers.
Assign high severity when rare egress or high-risk GCP activity aligns with suspicious Jenkins configuration-path activity on a mapped Jenkins controller.
Promote to critical when Jenkins-linked service accounts access secrets, push artifacts, deploy to GKE, modify production infrastructure, assign IAM policy, or alter production resources outside approved release windows.
Required Telemetry
Cloud Load Balancing logs.
Cloud Armor logs where applicable.
Jenkins audit logs.
Compute Engine or GKE asset mapping.
Endpoint telemetry from Jenkins workloads.
VPC Flow Logs.
Cloud DNS logs.
Google Cloud Audit Logs.
Secret Manager audit logs.
GKE audit logs where applicable.
Artifact Registry logs where applicable.
Approved Jenkins service-account lookup.
Approved Jenkins release-window lookup.
Approved Jenkins egress-destination lookup.
Approved Jenkins controller asset lookup.
Engineering Implementation Instructions
Map Jenkins controllers to Compute Engine instances, GKE pods, namespaces, service accounts, private IPs, load-balancer backends, Cloud Armor policies, Artifact Registry repositories, Secret Manager secrets, deployment targets, and production projects.
Validate URI visibility through load balancer, ingress, reverse proxy, or Jenkins logs before enabling high-severity detections.
Create approved Jenkins service account, release-window, egress-destination, project, cluster, namespace, secret, registry, controller, and workload lookup tables.
Do not deploy a GCP Audit Log-only version of this rule.
Treat GCP asset mapping, workload identity mapping, URI-log validation, endpoint telemetry joins, release-window tuning, identity-to-controller mapping, and SOC routing as required local deployment work.
DRI Assessment
Moderate with GCP-hosted Jenkins asset mapping and application-layer telemetry. Low for GCP-native control-plane-only telemetry.
DRI
7.5 / 10
TCR Assessment
Moderate operational confidence when GCP logs show suspicious downstream activity. High confidence requires Jenkins web/audit and endpoint correlation linked to the affected controller or Jenkins service account.
Operational TCR
7.2 / 10
Full-Telemetry TCR
8.7 / 10
Limitations
GCP Audit Logs do not show Jenkins request handling, Script Console use, or local process execution. Application-layer and endpoint telemetry are required for production confidence. Critical severity requires Jenkins-linked service account or controller-to-identity correlation, not time proximity alone.
Detection Query Pattern
BigQuery / Cloud Logging SQL-style pattern requiring local table and field validation:
WITH jenkins_controllers AS (
SELECT
controller_id,
backend_service_name,
private_ip,
instance_id,
project_id,
service_account_email
FROM `ENV_GCP_JENKINS_CONTROLLERS`
),
suspicious_jenkins_uri AS (
SELECT
lb.timestamp AS event_time,
lb.resource.labels.backend_service_name AS backend_service_name,
lb.httpRequest.remoteIp AS source_ip,
lb.httpRequest.requestMethod AS method,
lb.httpRequest.requestUrl AS request_url,
lb.httpRequest.userAgent AS user_agent,
jc.controller_id,
jc.private_ip,
jc.service_account_email,
jc.project_id
FROM `ENV_GCP_HTTP_LOAD_BALANCER_LOGS` lb
JOIN jenkins_controllers jc
ON lb.resource.labels.backend_service_name = jc.backend_service_name
WHERE lb.httpRequest.requestMethod = 'POST'
AND (
REGEXP_CONTAINS(lb.httpRequest.requestUrl, r'/config\.xml')
OR REGEXP_CONTAINS(lb.httpRequest.requestUrl, r'/createItem')
OR REGEXP_CONTAINS(lb.httpRequest.requestUrl, r'/doCreateItem')
OR REGEXP_CONTAINS(lb.httpRequest.requestUrl, r'/doConfigSubmit')
OR REGEXP_CONTAINS(lb.httpRequest.requestUrl, r'/submitDescription')
)
AND lb.httpRequest.remoteIp NOT IN (
SELECT source_ip FROM `ENV_APPROVED_JENKINS_ADMIN_SOURCES`
)
),
rare_egress AS (
SELECT
flow.timestamp AS event_time,
flow.jsonPayload.connection.src_ip AS src_ip,
flow.jsonPayload.connection.dest_ip AS dest_ip,
flow.jsonPayload.connection.dest_port AS dest_port,
flow.jsonPayload.disposition AS disposition,
jc.controller_id
FROM `ENV_GCP_VPC_FLOW_LOGS` flow
JOIN jenkins_controllers jc
ON flow.jsonPayload.connection.src_ip = jc.private_ip
WHERE flow.jsonPayload.disposition = 'ALLOWED'
AND flow.jsonPayload.connection.dest_ip NOT IN (
SELECT dest_ip FROM `ENV_APPROVED_JENKINS_EGRESS_DESTINATIONS`
)
),
high_risk_gcp_activity AS (
SELECT
audit.timestamp AS event_time,
audit.protoPayload.authenticationInfo.principalEmail AS principal_email,
audit.protoPayload.methodName AS method_name,
audit.resource.labels.project_id AS project_id,
audit.protoPayload.resourceName AS resource_name,
jc.controller_id
FROM `ENV_GCP_AUDIT_LOGS` audit
JOIN jenkins_controllers jc
ON audit.protoPayload.authenticationInfo.principalEmail = jc.service_account_email
WHERE audit.protoPayload.methodName IN (
'google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion',
'google.devtools.artifactregistry.v1.ArtifactRegistry.UploadAptArtifact',
'google.devtools.artifactregistry.v1.ArtifactRegistry.UploadYumArtifact',
'io.k8s.apps.v1.deployments.update',
'io.k8s.core.v1.secrets.get',
'v1.compute.instances.setMetadata',
'v1.compute.instances.insert',
'v1.compute.firewalls.patch',
'SetIamPolicy'
)
AND audit.timestamp NOT BETWEEN TIMESTAMP('ENV_APPROVED_RELEASE_START') AND TIMESTAMP('ENV_APPROVED_RELEASE_END')
)
SELECT
s.event_time,
s.controller_id,
s.source_ip,
s.request_url,
s.user_agent,
e.dest_ip,
e.dest_port,
c.principal_email,
c.method_name,
c.project_id,
c.resource_name
FROM suspicious_jenkins_uri s
LEFT JOIN rare_egress e
ON s.controller_id = e.controller_id
AND e.event_time BETWEEN s.event_time AND TIMESTAMP_ADD(s.event_time, INTERVAL 120 MINUTE)
LEFT JOIN high_risk_gcp_activity c
ON s.controller_id = c.controller_id
AND c.event_time BETWEEN s.event_time AND TIMESTAMP_ADD(s.event_time, INTERVAL 120 MINUTE)
WHERE e.dest_ip IS NOT NULL OR c.method_name IS NOT NULL
S26 Threat-to-Rule Traceability
Jenkins Configuration Submission Abuse
Covered by NDR / Network Behavioral Analytics, Splunk, Elastic, QRadar, AWS, Azure, and GCP where URI paths and controller identity are available.
User Impersonation or Privileged Jenkins Request Handling
Covered by Jenkins audit correlations, proxy user-context enrichment, crumb anomaly logic where available, Splunk and Elastic sequences, and QRadar building-block logic.
Script Console and Credential Activity
Covered by Splunk, Elastic, QRadar, SentinelOne, and endpoint/file correlations when privileged Jenkins activity aligns with suspicious configuration submission.
Job and Plugin Manipulation
Covered by Jenkins audit detections, Splunk, Elastic, QRadar, SentinelOne, SIGMA, and YARA artifact triage.
Controller-Side Execution and Sensitive File Access
Covered by SentinelOne, Splunk, Elastic, QRadar, SIGMA, and YARA where controller host or artifact telemetry is available.
Rare Controller Egress
Covered by NDR, DNS/proxy, Splunk, Elastic, AWS, Azure, and GCP correlations where Jenkins controller identity and egress telemetry are available.
Downstream CI/CD Abuse
Covered where source-code, artifact, cloud, Kubernetes, and deployment telemetry can be tied to Jenkins-linked users, service accounts, jobs, or release windows.
Evidence and Visibility Gaps
Covered by telemetry requirements, detection gaps, non-coverage conditions, and cloud telemetry limitations.
S29 Detection Coverage Summary
Coverage is strongest where Jenkins audit logs, URI-preserving web logs, endpoint process telemetry, endpoint file telemetry, DNS/proxy logs, artifact logs, cloud logs, Kubernetes logs, and release records can be joined by controller, user, job, identity, and time window.
Minimum viable coverage requires visibility into Jenkins configuration submission and privileged Jenkins activity.
Stronger coverage requires correlation across controller behavior and downstream CI/CD activity.
Cloud-native logs alone are insufficient unless combined with Jenkins application-layer logs, controller host telemetry, workload identity mapping, and deployment telemetry.
Customer-specific telemetry validation is expected and does not reduce production-readiness when Required Telemetry, Engineering Implementation Instructions, Limitations, and Notes / Next Suggested Steps provide the engineer or administrator with a clear implementation path.
S33 Defensive Control & Hardening Improvements
Upgrade affected Jenkins controllers to fixed versions.
Restrict Jenkins administrative and configuration endpoints.
Restrict network access to Jenkins controllers.
Require MFA for privileged Jenkins users.
Review Overall/Read permission assignments.
Review job, view, agent, and system configuration permissions.
Restrict Script Console access.
Maintain approved Jenkins administrator, job, plugin, service-account, maintenance-window, release-window, and egress inventories.
Log job configuration changes, plugin changes, credential activity, Script Console access, API token creation, node changes, user changes, and security realm changes.
Deploy endpoint telemetry and file integrity monitoring on Jenkins controllers.
Restrict outbound egress from Jenkins controllers to approved destinations where feasible.
Scope Jenkins cloud roles and Kubernetes service accounts narrowly.
Prefer short-lived credentials.
Validate artifact provenance and production deployments after suspicious Jenkins activity.
Preserve logs from Jenkins, WAF, reverse proxy, load balancer, endpoint, DNS, proxy, source-code, artifact, cloud, and Kubernetes sources during investigation.
S39 Economic Impact & Organizational Exposure
Jenkins controller deserialization and CI/CD control-plane abuse exposure creates organizational exposure by increasing uncertainty around Jenkins controller integrity, credential trust, job trust, plugin integrity, artifact provenance, source-code workflow integrity, cloud deployment authority, Kubernetes deployment authority, release governance, and production-change integrity. Exposure rises when affected Jenkins controllers support production releases, emergency fixes, artifact generation, infrastructure deployment, Kubernetes deployment, regulated workloads, or customer-facing applications.
Estimated Economic Exposure
Estimated exposure should be scenario-based and tied to whether activity remains limited to suspicious configuration exposure, becomes privileged Jenkins activity, or expands into credential theft, artifact manipulation, cloud or Kubernetes activity, production release compromise, customer-facing software impact, or rebuild of CI/CD trust anchors.
Low Impact Scenario
Estimated $25K - $150K.
This scenario applies when investigation confirms affected-version exposure or suspicious configuration-path activity without privileged Jenkins action, Script Console access, credential exposure, controller file read, job change, plugin change, controller execution, rare egress, artifact publication, cloud activity, Kubernetes activity, or production deployment impact.
Moderate Impact Scenario
Estimated $150K - $1.2M.
This scenario applies when confirmed or strongly suspected abuse affects one or more production Jenkins controllers and the organization cannot quickly rule out user impersonation, credential exposure, job modification, plugin modification, artifact activity, cloud activity, Kubernetes activity, or release-path abuse.
High Impact Scenario
Estimated $1M - $8M+.
This scenario applies when abuse involves Script Console execution, arbitrary controller file read, credential theft, malicious job modification, plugin persistence, unauthorized artifact publication, source-code abuse, cloud control-plane activity, Kubernetes deployment manipulation, production release compromise, public disclosure, customer-facing software impact, or durable CI/CD access.
Annualized Risk Exposure
Estimated $150K - $1.2M+ for materially exposed Jenkins environments with affected controller versions, privileged configuration permissions, production release workflows, incomplete logging, missing endpoint telemetry, broad Jenkins-managed credentials, weak egress visibility, incomplete artifact provenance, or incomplete downstream identity mapping.
Exposure may exceed $1M - $8M+ where Jenkins abuse results in credential theft, artifact manipulation, production deployment impact, customer-facing software impact, legal review, customer communications, or board-level reporting.
Operational Dependency
Operational dependency is high where Jenkins supports production releases, engineering delivery, emergency fixes, artifact generation, infrastructure deployment, cloud automation, Kubernetes deployment, source-code integration, credential brokering, or regulated software-delivery workflows.
Control Trust
Control trust is reduced when the organization cannot prove that Jenkins users, permissions, configuration submissions, job changes, plugin changes, Script Console activity, credential access, controller file reads, service-account execution, artifact publication, cloud activity, Kubernetes activity, and deployment records remained legitimate.
Visibility Confidence
Visibility confidence is highest when Jenkins audit logs, web logs, endpoint telemetry, file telemetry, DNS/proxy logs, source-code records, artifact records, cloud logs, Kubernetes logs, release records, approved inventories, and change-control records can be joined reliably.
Change-Control Confidence
Change-control confidence is high when Jenkins upgrades, job changes, plugin updates, credential changes, Script Console use, release workflows, deployment jobs, cloud changes, Kubernetes changes, and emergency remediation are documented and attributable.
Downstream Dependency
Downstream dependency is high when Jenkins connects to source-code repositories, artifact repositories, package registries, container registries, cloud platforms, Kubernetes clusters, secrets managers, identity providers, deployment tools, infrastructure-as-code systems, or customer-facing applications.
Customer and Regulatory Exposure
Customer and regulatory exposure increases when suspicious Jenkins activity may affect customer-facing software, regulated workloads, artifact integrity, deployment integrity, credential confidentiality, source-code integrity, production change history, or customer-delivered packages and images.
Residual Economic Risk
Residual economic risk remains if the organization cannot prove that affected Jenkins controllers were upgraded, permissions were validated, credentials were rotated where required, job and plugin integrity were reviewed, controller filesystem changes were scoped, artifacts were validated, cloud and Kubernetes activity was reviewed, production deployments were verified, and CI/CD trust was restored.
Proof-of-Concept Behavioral Coverage Assessment
This TTD’s behavioral model covers Jenkins controller abuse aligned with configuration submission, privileged request handling, user impersonation, Script Console access, arbitrary file read, credential access, job manipulation, plugin manipulation, controller execution, rare egress, artifact publication, source-code activity, cloud activity, Kubernetes deployment activity, and production release manipulation.
The TTD is not limited to one CVE, exploit string, request path, user agent, proof-of-concept implementation, actor name, advisory, KEV listing, scanner result, WAF signature, or endpoint event.
Detection Engineering Coverage Interpretation
The S25 detection content provides direct behavioral coverage where observable activity falls inside the TTD’s detection model: suspicious Jenkins configuration submission, privileged Jenkins path access, unusual authenticated-user context, crumb anomalies where visible, Script Console activity, credential activity, job activity, plugin activity, controller-side execution, sensitive file access, rare egress, artifact publication, cloud deployment activity, Kubernetes deployment activity, and production release activity.
The S25 detection content provides coverage with adaptation for related Jenkins, CI/CD, build-system, deployment-system, artifact-publishing, cloud-automation, Kubernetes-deployment, or software-delivery compromise activity where observable behavior aligns to privileged CI/CD abuse, controller execution, credential exposure, job manipulation, plugin persistence, artifact manipulation, source-code abuse, downstream deployment activity, or release integrity impact.
Non-Coverage Conditions
Non-coverage applies where related activity does not produce observable Jenkins configuration submission, privileged Jenkins request handling, user impersonation, Script Console access, credential activity, arbitrary controller file read, job modification, plugin modification, controller-side execution, sensitive file access, rare egress, artifact publication, source-code activity, cloud activity, Kubernetes activity, production deployment activity, or CI/CD trust impact.
Activity limited to unrelated CI/CD systems, unrelated web applications, identity-only anomalies, cloud-only anomalies, network-only anomalies, isolated scanner findings, availability-only Jenkins errors, benign administrative maintenance, or non-Jenkins software flaws should not be represented as covered by this TTD.
Coverage Qualification
This is a behavioral detection-readiness statement, not a universal Jenkins, CI/CD, deserialization, plugin, cloud, Kubernetes, CVE, KEV, or proof-of-concept coverage ledger. A related issue should only be considered aligned when it shares enough observable behavior with the TTD’s detection model to support credible detection or detection-readiness coverage.
KEV status should be treated as an urgency and remediation-prioritization signal, not as the basis for coverage by itself. Coverage remains based on observable Jenkins-controller-to-CI/CD-control-plane behavior aligned to the TTD’s S21 through S25 detection strategy.
Executive Exposure Statement
The organization’s economic exposure is highest when Jenkins controller abuse creates uncertainty around whether Jenkins administration, controller integrity, credentials, jobs, plugins, artifacts, source-code workflows, cloud deployments, Kubernetes workloads, production releases, and customer-facing software delivery remain reliable. The strategic risk is not one CVE or one request path; it is the possibility that attackers can convert Jenkins controller trust into privileged CI/CD abuse and uncertainty over release-trust restoration.
S40 References
Vendor / Platform Documentation
· Jenkins Security Advisory 2026-06-10 - SECURITY-3707 / CVE-2026-53435 - hxxps://www[.]jenkins[.]io/security/advisory/2026-06-10/
· Jenkins Documentation - Managing Jenkins - hxxps://www[.]jenkins[.]io/doc/book/managing/
· Jenkins Documentation - Security - hxxps://www[.]jenkins[.]io/doc/book/security/
· Jenkins Documentation - Script Console - hxxps://www[.]jenkins[.]io/doc/book/managing/script-console/
· Jenkins Documentation - Credentials - hxxps://www[.]jenkins[.]io/doc/book/using/using-credentials/
Threat Technique Framework
· MITRE ATT&CK Enterprise Matrix / Techniques Catalog - hxxps://attack[.]mitre[.]org/
· NVD - CVE-2026-53435 - hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2026-53435
· CISA Known Exploited Vulnerabilities Catalog, reviewed for CVE-2026-53435 listing status - hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
Security Vendor Analysis
· GitHub Advisory Database - GHSA-g2xq-2v27-4rh3 - hxxps://github[.]com/advisories/GHSA-g2xq-2v27-4rh3
· OpenCVE - CVE-2026-53435 - hxxps://app[.]opencve[.]io/cve/CVE-2026-53435
· Rapid7 Vulnerability Database - Jenkins Advisory 2026-06-10: CVE-2026-53435: Deserialization vulnerability - hxxps://www[.]rapid7[.]com/db/vulnerabilities/jenkins-2026-06-10_cve-2026-53435/
· CVEFeed - CVE-2026-53435 - hxxps://cvefeed[.]io/vuln/detail/CVE-2026-53435
Detection Platform Documentation
· SentinelOne Documentation - hxxps://docs[.]sentinelone[.]com/
· Splunk Search Reference - hxxps://docs[.]splunk[.]com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual
· Elastic Security Detection Rules Documentation - hxxps://www[.]elastic[.]co/guide/en/security/current/rules-ui-management[.]html
· IBM QRadar Documentation - hxxps://www[.]ibm[.]com/docs/en/qradar-common
· Sigma Rule Specification - hxxps://sigmahq[.]io/docs/basics/rules[.]html
· AWS WAF Documentation - hxxps://docs[.]aws[.]amazon[.]com/waf/
· Azure Monitor Logs Documentation - hxxps://learn[.]microsoft[.]com/azure/azure-monitor/logs/
· Google Cloud Logging Documentation - hxxps://cloud[.]google[.]com/logging/docs
