Kubernetes Secrets List Across Cluster or Sensitive Namespaces

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Kubernetes Secrets List Across Cluster or Sensitive Namespaces

Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote clients.

Rule type: query

Rule indices:

logs-kubernetes.audit_logs-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://attack.mitre.org/techniques/T1552/007/

Tags:

Data Source: Kubernetes
Domain: Kubernetes
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Discovery
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces

Audit events for list on the secrets resource against /api/v1/secrets, paginated cluster lists, or namespace-scoped lists under kube-system or default, from a source IP that is not localhost.

Investigation steps

Confirm the actor (user.name, groups) and whether the client is expected (CI, admin bastion, controller).
Review kubernetes.audit.requestURI, user_agent.original, and follow-on API activity from the same source.
Assess exposure: cluster-wide secret listing can surface many credentials.

False positives

Legitimate controllers or operators listing secrets in kube-system / default from cluster nodes may match; tune by source IP, user agent, or service account as needed.

Rule query

edit

event.dataset:"kubernetes.audit_logs" and event.action:list and
kubernetes.audit.objectRef.resource:secrets and
kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and
source.ip:(* and not ("::1" or "127.0.0.1")) and
not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
Sub-technique:
- Name: Container API
- ID: T1552.007
- Reference URL: https://attack.mitre.org/techniques/T1552/007/
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: Container and Resource Discovery
- ID: T1613
- Reference URL: https://attack.mitre.org/techniques/T1613/

« Kubernetes Secret get or list from Node or Pod Service Account Kubernetes Multi-Resource Discovery »