Kubernetes Secrets List Across Cluster or Sensitive Namespaces

 1[metadata]
 2creation_date = "2026/04/22"
 3integration = ["kubernetes"]
 4maturity = "production"
 5updated_date = "2026/05/11"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide
11secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote
12clients.
13"""
14from = "now-6m"
15index = ["logs-kubernetes.audit_logs-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Kubernetes Secrets List Across Cluster or Sensitive Namespaces"
19note = """## Triage and analysis
20
21### Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces
22
23Audit events for `list` on the `secrets` resource against `/api/v1/secrets`, paginated cluster lists, or namespace-scoped
24lists under `kube-system` or `default`, from a source IP that is not localhost.
25
26### Investigation steps
27
28- Confirm the actor (`user.name`, groups) and whether the client is expected (CI, admin bastion, controller).
29- Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source.
30- Assess exposure: cluster-wide secret listing can surface many credentials.
31
32### False positives
33
34- Legitimate controllers or operators listing secrets in `kube-system` / `default` from cluster nodes may match; tune by
35  source IP, user agent, or service account as needed.
36"""
37references = [
38    "https://attack.mitre.org/techniques/T1552/007/",
39]
40risk_score = 73
41rule_id = "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b"
42severity = "high"
43tags = [
44    "Data Source: Kubernetes",
45    "Domain: Kubernetes",
46    "Use Case: Threat Detection",
47    "Tactic: Credential Access",
48    "Tactic: Discovery",
49    "Resources: Investigation Guide",
50]
51timestamp_override = "event.ingested"
52type = "query"
53query = '''
54event.dataset:"kubernetes.audit_logs" and event.action:list and 
55kubernetes.audit.objectRef.resource:secrets and 
56kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and 
57source.ip:(* and not ("::1" or "127.0.0.1")) and 
58not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) and 
59not kubernetes.audit.user.groups:"system:serviceaccounts:ibm-csi"
60'''
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64
65[[rule.threat.technique]]
66id = "T1552"
67name = "Unsecured Credentials"
68reference = "https://attack.mitre.org/techniques/T1552/"
69
70[[rule.threat.technique.subtechnique]]
71id = "T1552.007"
72name = "Container API"
73reference = "https://attack.mitre.org/techniques/T1552/007/"
74
75[rule.threat.tactic]
76id = "TA0006"
77name = "Credential Access"
78reference = "https://attack.mitre.org/tactics/TA0006/"
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82
83[[rule.threat.technique]]
84id = "T1613"
85name = "Container and Resource Discovery"
86reference = "https://attack.mitre.org/techniques/T1613/"
87
88[rule.threat.tactic]
89id = "TA0007"
90name = "Discovery"
91reference = "https://attack.mitre.org/tactics/TA0007/"