Kubernetes Secret Access via Unusual User Agent

 1[metadata]
 2creation_date = "2026/03/26"
 3integration = ["kubernetes"]
 4maturity = "production"
 5updated_date = "2026/03/26"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when secrets are accessed via an unusual user agent, user name and source IP. Attackers
11may attempt to access secrets in a Kubernetes cluster to gain access to sensitive information after gaining
12access to the cluster.
13"""
14index = ["logs-kubernetes.audit_logs-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Kubernetes Secret Access via Unusual User Agent"
18risk_score = 21
19rule_id = "cbda9a0e-2be4-4eaa-9571-8d6a503e9828"
20severity = "low"
21tags = [
22    "Data Source: Kubernetes",
23    "Domain: Kubernetes",
24    "Domain: Cloud",
25    "Use Case: Threat Detection",
26    "Tactic: Credential Access",
27]
28timestamp_override = "event.ingested"
29type = "new_terms"
30query = '''
31event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and
32kubernetes.audit.verb:("get" or "list") and user_agent.original:(* and not (*kubernetes/$Format))
33'''
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37
38[[rule.threat.technique]]
39id = "T1552"
40name = "Unsecured Credentials"
41reference = "https://attack.mitre.org/techniques/T1552/"
42
43[[rule.threat.technique.subtechnique]]
44id = "T1552.007"
45name = "Container API"
46reference = "https://attack.mitre.org/techniques/T1552/007/"
47
48[rule.threat.tactic]
49id = "TA0006"
50name = "Credential Access"
51reference = "https://attack.mitre.org/tactics/TA0006/"
52
53[rule.new_terms]
54field = "new_terms_fields"
55value = ["source.ip", "user.name", "user_agent.original"]
56
57[[rule.new_terms.history_window_start]]
58field = "history_window_start"
59value = "now-7d"