GKE Secret get or list with Suspicious User Agent
editGKE Secret get or list with Suspicious User Agent
editDetects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.
Rule type: query
Rule indices:
- logs-gcp.audit-*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: Kubernetes
- Data Source: GCP
- Data Source: Google Cloud Platform
- Use Case: Threat Detection
- Tactic: Credential Access
- Resources: Investigation Guide
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating GKE Secret get or list with Suspicious User Agent
Review user.email, user_agent.original, targeted secret resource, and source.ip.
Investigation steps
- Confirm whether the identity should access secrets with this client fingerprint.
- Pivot on source IP for other API bursts, exec, or RBAC changes.
False positives
- Internal automation using generic libraries; exclude stable service accounts after review.
Setup
editThe GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.
Rule query
editdata_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
event.action:("io.k8s.core.v1.secrets.list" or "io.k8s.core.v1.secrets.get") and user_agent.original:(
curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64* or
*kali-arm64* or Bun* or axios* or undici*
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Unsecured Credentials
- ID: T1552
- Reference URL: https://attack.mitre.org/techniques/T1552/
-
Sub-technique:
- Name: Container API
- ID: T1552.007
- Reference URL: https://attack.mitre.org/techniques/T1552/007/