Kubernetes Secret Access via Unusual User Agent

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Kubernetes Secret Access via Unusual User Agent

This rule detects when secrets are accessed via an unusual user agent, user name and source IP. Attackers may attempt to access secrets in a Kubernetes cluster to gain access to sensitive information after gaining access to the cluster.

Rule type: new_terms

Rule indices:

logs-kubernetes.audit_logs-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Data Source: Kubernetes
Domain: Kubernetes
Domain: Cloud
Use Case: Threat Detection
Tactic: Credential Access

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.dataset:"kubernetes.audit_logs" and kubernetes.audit.objectRef.resource:"secrets" and
kubernetes.audit.verb:("get" or "list") and user_agent.original:(* and not (*kubernetes/$Format))

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Container API
- ID: T1552.007
- Reference URL: https://attack.mitre.org/techniques/T1552/007/

« Suspicious Python Shell Command Execution M365 Azure Monitor Alert Email with Financial or Billing Theme »