GKE Secrets List from Unusual Source AS Organization

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

GKE Secrets List from Unusual Source AS Organization

edit

Detects the first time a human GKE caller lists secrets cluster-wide or in default or kube-system from a source autonomous system that is not attributed to common cloud provider organizations. This can indicate remote secret enumeration using stolen credentials from an unusual network.

Rule type: new_terms

Rule indices:

  • logs-gcp.audit-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: Kubernetes
  • Data Source: GCP
  • Data Source: Google Cloud Platform
  • Use Case: Threat Detection
  • Tactic: Credential Access
  • Tactic: Discovery
  • Resources: Investigation Guide

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating GKE Secrets List from Unusual Source AS Organization

New-terms rule on user.email and source.as.number for cluster-wide or sensitive namespace secret list operations.

Investigation steps

  • Confirm gcp.audit.resource_name and whether listing was authorized.
  • Review source.ip, source.as.organization.name, and follow-on secret get or exec activity.

False positives

  • First-time legitimate admin access from a new office or VPN provider.

Setup

edit

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule.

Rule query

edit
data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.action:io.k8s.core.v1.secrets.list and gcp.audit.resource_name:(core/v1/namespaces/default/secrets or core/v1/namespaces/kube-system/secrets or core/v1/secrets) and user.email:*@* and source.as.organization.name:(* and not ("Google LLC" or "Microsoft Corporation")) and source.as.number:*

Framework: MITRE ATT&CKTM