GKE Secret get or list with Suspicious User Agent

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

GKE Secret get or list with Suspicious User Agent

edit

Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.

Rule type: query

Rule indices:

  • logs-gcp.audit-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Kubernetes
  • Data Source: GCP
  • Data Source: Google Cloud Platform
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating GKE Secret get or list with Suspicious User Agent

Review user.email, user_agent.original, targeted secret resource, and source.ip.

Investigation steps

  • Confirm whether the identity should access secrets with this client fingerprint.
  • Pivot on source IP for other API bursts, exec, or RBAC changes.

False positives

  • Internal automation using generic libraries; exclude stable service accounts after review.

Setup

edit

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

Rule query

edit
data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
event.action:("io.k8s.core.v1.secrets.list" or "io.k8s.core.v1.secrets.get") and user_agent.original:(
  curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64* or
  *kali-arm64* or Bun* or axios* or undici*
)

Framework: MITRE ATT&CKTM