GKE Admission Webhook Created or Modified
Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/06/30"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2026/06/30"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities.
11Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense
12evasion.
13"""
14false_positives = [
15 """
16 GitOps and platform controllers (cert-manager, Gatekeeper, Kyverno, service mesh) legitimately manage webhooks.
17 Validate change tickets and controller identities before tuning.
18 """,
19]
20from = "now-9m"
21index = ["logs-gcp.audit-*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GKE Admission Webhook Created or Modified"
25note = """## Triage and analysis
26
27### Investigating GKE Admission Webhook Created or Modified
28
29Review webhook name, actor, and clientConfig destination in `gcp.audit.request`.
30
31### Investigation steps
32
33- Confirm `user.email`, `event.action`, and webhook resource name.
34- Inspect webhook URL or in-cluster service target for external endpoints.
35- Hunt for pod mutations or blocked security deployments after the change.
36
37### False positives
38
39- Approved controller upgrades during change windows.
40
41## Setup
42
43The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
44references = [
45 "https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/",
46]
47risk_score = 47
48rule_id = "4886ce11-fca5-433f-bbb9-e33e410ef9ae"
49severity = "medium"
50tags = [
51 "Domain: Cloud",
52 "Domain: Kubernetes",
53 "Data Source: GCP",
54 "Data Source: Google Cloud Platform",
55 "Use Case: Threat Detection",
56 "Tactic: Persistence",
57 "Tactic: Defense Evasion",
58 "Resources: Investigation Guide",
59]
60timestamp_override = "event.ingested"
61type = "query"
62
63query = '''
64data_stream.dataset:gcp.audit and event.outcome:success and event.action:(
65 "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create" or
66 "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update" or
67 "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch" or
68 "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create" or
69 "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update" or
70 "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch"
71) and not user.email:(
72 "system:kube-controller-manager" or "system:kube-scheduler" or system\:serviceaccount\:kube-system\:* or
73 system\:serviceaccount\:gke-managed-system\:* or system\:serviceaccount\:cert-manager\:* or
74 system\:serviceaccount\:gatekeeper-system\:* or system\:serviceaccount\:kyverno\:* or "system:addon-manager" or
75 *-operator or *-cainjector or *-webhook or *argocd* or "system:gke-common-webhooks"
76)
77'''
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81
82[[rule.threat.technique]]
83id = "T1546"
84name = "Event Triggered Execution"
85reference = "https://attack.mitre.org/techniques/T1546/"
86
87[rule.threat.tactic]
88id = "TA0003"
89name = "Persistence"
90reference = "https://attack.mitre.org/tactics/TA0003/"
91
92[[rule.threat]]
93framework = "MITRE ATT&CK"
94
95[[rule.threat.technique]]
96id = "T1562"
97name = "Impair Defenses"
98reference = "https://attack.mitre.org/techniques/T1562/"
99
100[rule.threat.tactic]
101id = "TA0005"
102name = "Defense Evasion"
103reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Investigating GKE Admission Webhook Created or Modified
Review webhook name, actor, and clientConfig destination in gcp.audit.request.
Investigation steps
- Confirm
user.email,event.action, and webhook resource name. - Inspect webhook URL or in-cluster service target for external endpoints.
- Hunt for pod mutations or blocked security deployments after the change.
False positives
- Approved controller upgrades during change windows.
Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
References
Related rules
- GKE Cluster-Admin Role Binding Created or Modified
- GKE API Request Failure Burst by User
- GKE Container Created with Excessive Linux Capabilities
- GKE Pod Created With HostIPC
- GKE Pod Created With HostNetwork