GKE Secret get or list with Suspicious User Agent

Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2026/06/30"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2026/06/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP
11clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.
12"""
13false_positives = [
14    """
15    Approved scripts, CI jobs, or penetration tests may use generic HTTP clients. Validate tickets and identity scope
16    before treating as compromise.
17    """,
18]
19index = ["logs-gcp.audit-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GKE Secret get or list with Suspicious User Agent"
23note = """## Triage and analysis
24
25### Investigating GKE Secret get or list with Suspicious User Agent
26
27Review `user.email`, `user_agent.original`, targeted secret resource, and `source.ip`.
28
29### Investigation steps
30
31- Confirm whether the identity should access secrets with this client fingerprint.
32- Pivot on source IP for other API bursts, exec, or RBAC changes.
33
34### False positives
35
36- Internal automation using generic libraries; exclude stable service accounts after review.
37
38## Setup
39
40The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
41references = [
42    "https://attack.mitre.org/techniques/T1552/007/",
43]
44risk_score = 73
45rule_id = "0c04d82f-6def-4659-aa62-ed6355a51f39"
46severity = "high"
47tags = [
48    "Domain: Cloud",
49    "Domain: Kubernetes",
50    "Data Source: GCP",
51    "Data Source: Google Cloud Platform",
52    "Use Case: Threat Detection",
53    "Tactic: Credential Access",
54    "Resources: Investigation Guide",
55]
56timestamp_override = "event.ingested"
57type = "query"
58
59query = '''
60data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
61event.action:("io.k8s.core.v1.secrets.list" or "io.k8s.core.v1.secrets.get") and user_agent.original:(
62  curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64* or
63  *kali-arm64* or Bun* or axios* or undici*
64)
65'''
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69
70[[rule.threat.technique]]
71id = "T1552"
72name = "Unsecured Credentials"
73reference = "https://attack.mitre.org/techniques/T1552/"
74
75[[rule.threat.technique.subtechnique]]
76id = "T1552.007"
77name = "Container API"
78reference = "https://attack.mitre.org/techniques/T1552/007/"
79
80[rule.threat.tactic]
81id = "TA0006"
82name = "Credential Access"
83reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Investigating GKE Secret get or list with Suspicious User Agent

Review user.email, user_agent.original, targeted secret resource, and source.ip.

Investigation steps

  • Confirm whether the identity should access secrets with this client fingerprint.
  • Pivot on source IP for other API bursts, exec, or RBAC changes.

False positives

  • Internal automation using generic libraries; exclude stable service accounts after review.

Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

References

Related rules

to-top