GKE Admission Webhook Created or Modified

Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/06/30"
  3integration = ["gcp"]
  4maturity = "production"
  5updated_date = "2026/06/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities.
 11Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense
 12evasion.
 13"""
 14false_positives = [
 15    """
 16    GitOps and platform controllers (cert-manager, Gatekeeper, Kyverno, service mesh) legitimately manage webhooks.
 17    Validate change tickets and controller identities before tuning.
 18    """,
 19]
 20from = "now-9m"
 21index = ["logs-gcp.audit-*"]
 22language = "kuery"
 23license = "Elastic License v2"
 24name = "GKE Admission Webhook Created or Modified"
 25note = """## Triage and analysis
 26
 27### Investigating GKE Admission Webhook Created or Modified
 28
 29Review webhook name, actor, and clientConfig destination in `gcp.audit.request`.
 30
 31### Investigation steps
 32
 33- Confirm `user.email`, `event.action`, and webhook resource name.
 34- Inspect webhook URL or in-cluster service target for external endpoints.
 35- Hunt for pod mutations or blocked security deployments after the change.
 36
 37### False positives
 38
 39- Approved controller upgrades during change windows.
 40
 41## Setup
 42
 43The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
 44references = [
 45    "https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/",
 46]
 47risk_score = 47
 48rule_id = "4886ce11-fca5-433f-bbb9-e33e410ef9ae"
 49severity = "medium"
 50tags = [
 51    "Domain: Cloud",
 52    "Domain: Kubernetes",
 53    "Data Source: GCP",
 54    "Data Source: Google Cloud Platform",
 55    "Use Case: Threat Detection",
 56    "Tactic: Persistence",
 57    "Tactic: Defense Evasion",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "query"
 62
 63query = '''
 64data_stream.dataset:gcp.audit and event.outcome:success and event.action:(
 65  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create" or
 66  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update" or
 67  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch" or
 68  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create" or
 69  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update" or
 70  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch"
 71) and not user.email:(
 72  "system:kube-controller-manager" or "system:kube-scheduler" or system\:serviceaccount\:kube-system\:* or
 73  system\:serviceaccount\:gke-managed-system\:* or system\:serviceaccount\:cert-manager\:* or
 74  system\:serviceaccount\:gatekeeper-system\:* or system\:serviceaccount\:kyverno\:* or "system:addon-manager" or
 75  *-operator or *-cainjector or *-webhook or *argocd* or "system:gke-common-webhooks"
 76)
 77'''
 78
 79[[rule.threat]]
 80framework = "MITRE ATT&CK"
 81
 82[[rule.threat.technique]]
 83id = "T1546"
 84name = "Event Triggered Execution"
 85reference = "https://attack.mitre.org/techniques/T1546/"
 86
 87[rule.threat.tactic]
 88id = "TA0003"
 89name = "Persistence"
 90reference = "https://attack.mitre.org/tactics/TA0003/"
 91
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94
 95[[rule.threat.technique]]
 96id = "T1562"
 97name = "Impair Defenses"
 98reference = "https://attack.mitre.org/techniques/T1562/"
 99
100[rule.threat.tactic]
101id = "TA0005"
102name = "Defense Evasion"
103reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Investigating GKE Admission Webhook Created or Modified

Review webhook name, actor, and clientConfig destination in gcp.audit.request.

Investigation steps

  • Confirm user.email, event.action, and webhook resource name.
  • Inspect webhook URL or in-cluster service target for external endpoints.
  • Hunt for pod mutations or blocked security deployments after the change.

False positives

  • Approved controller upgrades during change windows.

Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

References

Related rules

to-top