GKE Secret get or list with Suspicious User Agent
Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP
11clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.
12"""
13false_positives = [
14 """
15 Approved scripts, CI jobs, or penetration tests may use generic HTTP clients. Validate tickets and identity scope
16 before treating as compromise.
17 """,
18]
19index = ["logs-gcp.audit-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GKE Secret get or list with Suspicious User Agent"
23note = """## Triage and analysis
24
25### Investigating GKE Secret get or list with Suspicious User Agent
26
27Review `user.email`, `user_agent.original`, targeted secret resource, and `source.ip`.
28
29### Investigation steps
30
31- Confirm whether the identity should access secrets with this client fingerprint.
32- Pivot on source IP for other API bursts, exec, or RBAC changes.
33
34### False positives
35
36- Internal automation using generic libraries; exclude stable service accounts after review.
37
38## Setup
39
40The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
41references = [
42 "https://attack.mitre.org/techniques/T1552/007/",
43]
44risk_score = 73
45rule_id = "0c04d82f-6def-4659-aa62-ed6355a51f39"
46severity = "high"
47tags = [
48 "Domain: Cloud",
49 "Domain: Kubernetes",
50 "Data Source: GCP",
51 "Data Source: Google Cloud Platform",
52 "Use Case: Threat Detection",
53 "Tactic: Credential Access",
54 "Resources: Investigation Guide",
55]
56timestamp_override = "event.ingested"
57type = "query"
58
59query = '''
60data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
61event.action:("io.k8s.core.v1.secrets.list" or "io.k8s.core.v1.secrets.get") and user_agent.original:(
62 curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64* or
63 *kali-arm64* or Bun* or axios* or undici*
64)
65'''
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69
70[[rule.threat.technique]]
71id = "T1552"
72name = "Unsecured Credentials"
73reference = "https://attack.mitre.org/techniques/T1552/"
74
75[[rule.threat.technique.subtechnique]]
76id = "T1552.007"
77name = "Container API"
78reference = "https://attack.mitre.org/techniques/T1552/007/"
79
80[rule.threat.tactic]
81id = "TA0006"
82name = "Credential Access"
83reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Investigating GKE Secret get or list with Suspicious User Agent
Review user.email, user_agent.original, targeted secret resource, and source.ip.
Investigation steps
- Confirm whether the identity should access secrets with this client fingerprint.
- Pivot on source IP for other API bursts, exec, or RBAC changes.
False positives
- Internal automation using generic libraries; exclude stable service accounts after review.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Secrets List from Unusual Source AS Organization
- GKE API Request Failure Burst by User
- GKE Admission Webhook Created or Modified
- GKE Cluster-Admin Role Binding Created or Modified
- GKE Container Created with Excessive Linux Capabilities