GKE Admission Webhook Created or Modified

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

GKE Admission Webhook Created or Modified

edit

Detects creation or modification of GKE mutating or validating admission webhook configurations by non-system identities. Malicious webhooks can inject workloads, block security tooling, or intercept API traffic for persistence and defense evasion.

Rule type: query

Rule indices:

  • logs-gcp.audit-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Kubernetes
  • Data Source: GCP
  • Data Source: Google Cloud Platform
  • Use Case: Threat Detection
  • Tactic: Persistence
  • Tactic: Defense Evasion
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating GKE Admission Webhook Created or Modified

Review webhook name, actor, and clientConfig destination in gcp.audit.request.

Investigation steps

  • Confirm user.email, event.action, and webhook resource name.
  • Inspect webhook URL or in-cluster service target for external endpoints.
  • Hunt for pod mutations or blocked security deployments after the change.

False positives

  • Approved controller upgrades during change windows.

Setup

edit

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

Rule query

edit
data_stream.dataset:gcp.audit and event.outcome:success and event.action:(
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.mutatingwebhookconfigurations.patch" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.create" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.update" or
  "io.k8s.admissionregistration.v1.validatingwebhookconfigurations.patch"
) and not user.email:(
  "system:kube-controller-manager" or "system:kube-scheduler" or system\:serviceaccount\:kube-system\:* or
  system\:serviceaccount\:gke-managed-system\:* or system\:serviceaccount\:cert-manager\:* or
  system\:serviceaccount\:gatekeeper-system\:* or system\:serviceaccount\:kyverno\:* or "system:addon-manager" or
  *-operator or *-cainjector or *-webhook or *argocd* or "system:gke-common-webhooks"
)

Framework: MITRE ATT&CKTM