GKE API Request Failure Burst by User
Detects bursts of failed GKE API requests from a single user identity within a five-minute window. Repeated authorization failures across multiple actions can indicate credential stuffing, RBAC probing, or reconnaissance with stolen tokens.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects bursts of failed GKE API requests from a single user identity within a five-minute window. Repeated authorization
11failures across multiple actions can indicate credential stuffing, RBAC probing, or reconnaissance with stolen tokens.
12"""
13from = "now-11m"
14interval = "5m"
15language = "esql"
16license = "Elastic License v2"
17name = "GKE API Request Failure Burst by User"
18note = """## Triage and analysis
19
20### Investigating GKE API Request Failure Burst by User
21
22The rule aggregates failed Kubernetes API calls per `user.email`, source IP, and user agent in five-minute buckets and
23alerts when failures reach ten or more.
24
25### Investigation steps
26
27- Review `Esql.actions` and `Esql.resources` for targeted API operations.
28- Validate whether the identity should exist and whether the source IP is expected.
29- Hunt for later successful calls indicating privilege escalation.
30
31### False positives
32
33- Misconfigured automation or CI jobs with stale credentials may generate bursts; exclude known service accounts.
34
35## Setup
36
37The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
38references = [
39 "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging",
40 "https://attack.mitre.org/techniques/T1613/",
41]
42risk_score = 47
43rule_id = "94556bc7-e057-4759-9e49-fa79ee366101"
44severity = "medium"
45tags = [
46 "Domain: Cloud",
47 "Domain: Kubernetes",
48 "Data Source: GCP",
49 "Data Source: Google Cloud Platform",
50 "Use Case: Threat Detection",
51 "Tactic: Discovery",
52 "Resources: Investigation Guide",
53]
54timestamp_override = "event.ingested"
55type = "esql"
56
57query = '''
58from logs-gcp.audit-* metadata _id, _index, _version
59| eval Esql.time_interval = date_trunc(5 minutes, @timestamp)
60| where data_stream.dataset == "gcp.audit"
61 and service.name == "k8s.io"
62 and event.outcome == "failure"
63 and event.type != "allowed"
64 and user.email is not null
65 and not to_string(user.email) rlike "(system:serviceaccount:|system:gke-spiffe-controller|system:kube-scheduler|system:node:).*"
66| stats
67 Esql.unique_actions = count_distinct(event.action),
68 Esql.failures_count = count(*),
69 Esql.actions = values(event.action),
70 Esql.resources = values(orchestrator.resource.name)
71 by user.email, source.ip, user_agent.original, data_stream.namespace, Esql.time_interval
72| where Esql.failures_count >= 10
73| keep Esql.*, user.email, source.ip, user_agent.original, data_stream.namespace
74'''
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[[rule.threat.technique]]
80id = "T1613"
81name = "Container and Resource Discovery"
82reference = "https://attack.mitre.org/techniques/T1613/"
83
84[rule.threat.tactic]
85id = "TA0007"
86name = "Discovery"
87reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Investigating GKE API Request Failure Burst by User
The rule aggregates failed Kubernetes API calls per user.email, source IP, and user agent in five-minute buckets and
alerts when failures reach ten or more.
Investigation steps
- Review
Esql.actionsandEsql.resourcesfor targeted API operations. - Validate whether the identity should exist and whether the source IP is expected.
- Hunt for later successful calls indicating privilege escalation.
False positives
- Misconfigured automation or CI jobs with stale credentials may generate bursts; exclude known service accounts.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Secrets List from Unusual Source AS Organization
- GKE Suspicious Self-Subject Review via Service Account
- GKE Admission Webhook Created or Modified
- GKE Cluster-Admin Role Binding Created or Modified
- GKE Container Created with Excessive Linux Capabilities