Loading

Kubernetes Secret Access via Unusual User Agent

This rule detects when secrets are accessed via an unusual user agent, user name and source IP. Attackers may attempt to access secrets in a Kubernetes cluster to gain access to sensitive information after gaining access to the cluster.

Rule type: new_terms
Rule indices:

  • logs-kubernetes.audit_logs-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: ``
Maximum alerts per execution: 100
References:

Tags:

  • Data Source: Kubernetes
  • Domain: Kubernetes
  • Domain: Cloud
  • Use Case: Threat Detection
  • Tactic: Credential Access

Version: 1
Rule authors:

  • Elastic

Rule license: Elastic License v2

event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and
kubernetes.audit.verb:("get" or "list") and user_agent.original:(* and not (*kubernetes/$Format))

Framework: MITRE ATT&CK