GKE Suspicious Self-Subject Review via Service Account
Detects GKE service account or node identities invoking self-subject access or rules review APIs. Non-human identities rarely enumerate their own permissions outside known controllers; this can indicate stolen tokens probing effective RBAC.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects GKE service account or node identities invoking self-subject access or rules review APIs. Non-human identities
11rarely enumerate their own permissions outside known controllers; this can indicate stolen tokens probing effective RBAC.
12"""
13false_positives = [
14 """
15 Some controllers and admin impersonation workflows legitimately submit self-subject reviews. Excluded identities
16 include common Argo and Datadog service accounts.
17 """,
18]
19index = ["logs-gcp.audit-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "GKE Suspicious Self-Subject Review via Service Account"
23note = """## Triage and analysis
24
25### Investigating GKE Suspicious Self-Subject Review via Service Account
26
27Review the calling service account or node identity and subsequent API activity.
28
29### Investigation steps
30
31- Confirm `user.email` and `event.action` (selfsubjectaccessreviews or selfsubjectrulesreviews).
32- Correlate with denied requests, secret access, or RBAC changes from the same identity.
33
34### False positives
35
36- Known observability or workflow controllers; extend exclusions if needed.
37
38## Setup
39
40The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
41references = [
42 "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access",
43]
44risk_score = 21
45rule_id = "2302fb59-5201-46ec-b433-6044adb37b0b"
46severity = "low"
47tags = [
48 "Domain: Cloud",
49 "Domain: Kubernetes",
50 "Data Source: GCP",
51 "Data Source: Google Cloud Platform",
52 "Use Case: Threat Detection",
53 "Tactic: Discovery",
54 "Resources: Investigation Guide",
55]
56timestamp_override = "event.ingested"
57type = "query"
58
59query = '''
60data_stream.dataset:gcp.audit and service.name:k8s.io and event.action:(io.k8s.authorization.v1.selfsubjectaccessreviews.create or io.k8s.authorization.v1.selfsubjectrulesreviews.create) and user.email:((system\:node\:* or system\:serviceaccount\:*) and not ("system:serviceaccount:default:argo-argo-workflows-server" or "system:serviceaccount:default:argo-argo-workflows-workflow-controller" or system\:serviceaccount\:*\:datadog-kube-state-metrics))
61'''
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65
66[[rule.threat.technique]]
67id = "T1069"
68name = "Permission Groups Discovery"
69reference = "https://attack.mitre.org/techniques/T1069/"
70
71[[rule.threat.technique.subtechnique]]
72id = "T1069.003"
73name = "Cloud Groups"
74reference = "https://attack.mitre.org/techniques/T1069/003/"
75
76[[rule.threat.technique]]
77id = "T1613"
78name = "Container and Resource Discovery"
79reference = "https://attack.mitre.org/techniques/T1613/"
80
81[rule.threat.tactic]
82id = "TA0007"
83name = "Discovery"
84reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Investigating GKE Suspicious Self-Subject Review via Service Account
Review the calling service account or node identity and subsequent API activity.
Investigation steps
- Confirm
user.emailandevent.action(selfsubjectaccessreviews or selfsubjectrulesreviews). - Correlate with denied requests, secret access, or RBAC changes from the same identity.
False positives
- Known observability or workflow controllers; extend exclusions if needed.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE API Request Failure Burst by User
- GKE Secrets List from Unusual Source AS Organization
- GKE Admission Webhook Created or Modified
- GKE Cluster-Admin Role Binding Created or Modified
- GKE Container Created with Excessive Linux Capabilities