Kubernetes Anonymous User Create/Update/Patch Pods Request

 1[metadata]
 2creation_date = "2026/02/02"
 3integration = ["kubernetes"]
 4maturity = "production"
 5updated_date = "2026/02/02"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects attempts to create, update, or patch pods by an anonymous user. An anonymous user is a user that
11is not authenticated or authorized to access the Kubernetes API server. Creating, updating, or patching pods is a common
12activity for attackers to gain access to the cluster and execute commands.
13"""
14index = ["logs-kubernetes.audit_logs-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Kubernetes Anonymous User Create/Update/Patch Pods Request"
18risk_score = 47
19rule_id = "3a01e5c6-ce01-46d7-ac9f-52dc349695fb"
20severity = "medium"
21tags = [
22    "Data Source: Kubernetes",
23    "Domain: Kubernetes",
24    "Use Case: Threat Detection",
25    "Tactic: Execution",
26    "Resources: Investigation Guide"
27    ]
28timestamp_override = "event.ingested"
29type = "eql"
30query = '''
31any where event.dataset == "kubernetes.audit_logs" and (
32    kubernetes.audit.user.username in ("system:anonymous", "system:unauthenticated") or
33    kubernetes.audit.user.username == null or
34    kubernetes.audit.user.username == ""
35  ) and kubernetes.audit.level in ("RequestResponse", "ResponseComplete", "Request") and kubernetes.audit.verb in ("create", "update", "patch") and
36kubernetes.audit.objectRef.resource == "pods"
37
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[rule.threat.tactic]
44id = "TA0002"
45name = "Execution"
46reference = "https://attack.mitre.org/tactics/TA0002/"