Kubernetes Rapid Secret GET Activity Against Multiple Objects

 1[metadata]
 2creation_date = "2026/04/22"
 3integration = ["kubernetes"]
 4maturity = "production"
 5updated_date = "2026/04/22"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects an unusual volume of Kubernetes API get requests against multiple distinct Secret objects from the same client 
11fingerprint (user, source IP, and user agent) within a defined lookback window. This can indicate credential access or in-cluster
12reconnaissance, where a user or token is used to enumerate and retrieve sensitive data such as service account tokens, registry 
13credentials, TLS material, or application configuration. Failed get requests are also included, as they may reveal RBAC boundaries, 
14confirm the existence of targeted secrets, or reflect automated probing activity.
15"""
16from = "now-6m"
17language = "esql"
18license = "Elastic License v2"
19name = "Kubernetes Rapid Secret GET Activity Against Multiple Objects"
20note = """## Triage and analysis
21
22### Investigating Kubernetes Rapid Secret GET Activity Against Multiple Objects
23
24This rule surfaces clusters of `get` operations on the `secrets` API where the same identity and client path
25(`user.name`, `source.ip`, `user_agent.original`) touch several different secret names within the rule lookback window.
26**Allowed and denied** outcomes are included: successful reads may indicate harvesting; repeated **forbidden** or
27**unauthorized** responses can still signal reconnaissance, RBAC probing, or scripted spray against secret names that
28exist in the cluster.
29
30### Investigation steps
31
32- Inspect `Esql.outcome` for a mix of allow vs deny and whether failures cluster on sensitive namespaces.
33- Map the identity to RBAC and namespace scope; review `Esql.secrets_names` and `Esql.namespaces` for high-value
34  targets (tokens, registry credentials, TLS bundles, application secrets).
35- Pivot on the same `source.ip` and user for follow-on API activity (exec, pod create, role changes, broad `list` on secrets).
36- Validate against expected automation (CI, GitOps, backup, in-cluster controllers) before treating as malicious.
37
38### False positives
39
40- Startup, Helm, or controllers may legitimately touch many secrets in one window; tune by user, namespace, or IP
41  allowlists when baselined.
42"""
43references = [
44    "https://attack.mitre.org/techniques/T1552/007/",
45]
46risk_score = 73
47rule_id = "b4c8e2a1-9f3d-4e7c-a2b1-0d5e6f7a8b9c"
48severity = "high"
49tags = [
50    "Data Source: Kubernetes",
51    "Domain: Kubernetes",
52    "Use Case: Threat Detection",
53    "Tactic: Credential Access",
54    "Resources: Investigation Guide",
55]
56timestamp_override = "event.ingested"
57type = "esql"
58query = '''
59from logs-kubernetes.audit_logs-* metadata _id, _index, _version
60| where event.dataset == "kubernetes.audit_logs"
61    and event.action == "get"
62    and kubernetes.audit.objectRef.resource == "secrets"
63    and source.ip is not null and user.name is not null 
64    and not to_string(source.ip) in ("127.0.0.1", "::1") and 
65    not user.name in ("system:kube-controller-manager", "system:kube-scheduler") and 
66    not kubernetes.audit.objectRef.name like "sh.helm.release.*"
67| stats
68    Esql.unique_credentials = count_distinct(kubernetes.audit.objectRef.name),
69    Esql.secrets_names = values(kubernetes.audit.objectRef.name),
70    Esql.namespaces = values(kubernetes.audit.objectRef.namespace),
71    Esql.outcome = values(`kubernetes.audit.annotations.authorization_k8s_io/decision`)
72  by user.name, source.ip, user_agent.original
73| where Esql.unique_credentials >= 3
74| KEEP user.name, source.ip, user_agent.original, Esql.*
75'''
76
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79
80[[rule.threat.technique]]
81id = "T1552"
82name = "Unsecured Credentials"
83reference = "https://attack.mitre.org/techniques/T1552/"
84
85[[rule.threat.technique.subtechnique]]
86id = "T1552.007"
87name = "Container API"
88reference = "https://attack.mitre.org/techniques/T1552/007/"
89
90[rule.threat.tactic]
91id = "TA0006"
92name = "Credential Access"
93reference = "https://attack.mitre.org/tactics/TA0006/"