GKE API Request Failure Burst by User

Detects bursts of failed GKE API requests from a single user identity within a five-minute window. Repeated authorization failures across multiple actions can indicate credential stuffing, RBAC probing, or reconnaissance with stolen tokens.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2026/06/30"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2026/06/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects bursts of failed GKE API requests from a single user identity within a five-minute window. Repeated authorization
11failures across multiple actions can indicate credential stuffing, RBAC probing, or reconnaissance with stolen tokens.
12"""
13from = "now-11m"
14interval = "5m"
15language = "esql"
16license = "Elastic License v2"
17name = "GKE API Request Failure Burst by User"
18note = """## Triage and analysis
19
20### Investigating GKE API Request Failure Burst by User
21
22The rule aggregates failed Kubernetes API calls per `user.email`, source IP, and user agent in five-minute buckets and
23alerts when failures reach ten or more.
24
25### Investigation steps
26
27- Review `Esql.actions` and `Esql.resources` for targeted API operations.
28- Validate whether the identity should exist and whether the source IP is expected.
29- Hunt for later successful calls indicating privilege escalation.
30
31### False positives
32
33- Misconfigured automation or CI jobs with stale credentials may generate bursts; exclude known service accounts.
34
35## Setup
36
37The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
38references = [
39    "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
40    "https://attack.mitre.org/techniques/T1613/",
41]
42risk_score = 47
43rule_id = "94556bc7-e057-4759-9e49-fa79ee366101"
44severity = "medium"
45tags = [
46    "Domain: Cloud",
47    "Domain: Kubernetes",
48    "Data Source: GCP",
49    "Data Source: Google Cloud Platform",
50    "Use Case: Threat Detection",
51    "Tactic: Discovery",
52    "Resources: Investigation Guide",
53]
54timestamp_override = "event.ingested"
55type = "esql"
56
57query = '''
58from logs-gcp.audit-* metadata _id, _index, _version
59| eval Esql.time_interval = date_trunc(5 minutes, @timestamp)
60| where data_stream.dataset == "gcp.audit"
61    and service.name == "k8s.io"
62    and event.outcome == "failure"
63    and event.type != "allowed"
64    and user.email is not null
65    and not to_string(user.email) rlike "(system:serviceaccount:|system:gke-spiffe-controller|system:kube-scheduler|system:node:).*"
66| stats
67    Esql.unique_actions = count_distinct(event.action),
68    Esql.failures_count = count(*),
69    Esql.actions = values(event.action),
70    Esql.resources = values(orchestrator.resource.name)
71  by user.email, source.ip, user_agent.original, data_stream.namespace, Esql.time_interval
72| where Esql.failures_count >= 10
73| keep Esql.*, user.email, source.ip, user_agent.original, data_stream.namespace
74'''
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[[rule.threat.technique]]
80id = "T1613"
81name = "Container and Resource Discovery"
82reference = "https://attack.mitre.org/techniques/T1613/"
83
84[rule.threat.tactic]
85id = "TA0007"
86name = "Discovery"
87reference = "https://attack.mitre.org/tactics/TA0007/"

Triage and analysis

Investigating GKE API Request Failure Burst by User

The rule aggregates failed Kubernetes API calls per user.email, source IP, and user agent in five-minute buckets and alerts when failures reach ten or more.

Investigation steps

  • Review Esql.actions and Esql.resources for targeted API operations.
  • Validate whether the identity should exist and whether the source IP is expected.
  • Hunt for later successful calls indicating privilege escalation.

False positives

  • Misconfigured automation or CI jobs with stale credentials may generate bursts; exclude known service accounts.

Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

References

Related rules

to-top