
Summary
Detects creation or modification of Kubernetes GKE admission webhook configurations by non-system identities by analyzing GCP audit logs (gcp.audit). The rule targets mutatingwebhookconfigurations and validatingwebhookconfigurations to identify actors who inject or alter admission webhooks, enabling workload modification, API traffic interception, or persistence/defense evasion. It matches successful audit events for create, update, or patch actions on admission webhook configurations while excluding system/service accounts (e.g., kube-controller-manager, kube-scheduler, kube-system service accounts, cert-manager, gatekeeper, kyverno, addon-manager, and common operators). The rule maps to MITRE techniques T1546 (Event Triggered Execution) under Persistence and T1562 (Impair Defenses) under Defense Evasion. False positives include legitimate controller upgrades during approved maintenance windows. Setup requires enabling the GCP Fleet integration with GKE audit logs. Investigation steps include validating user.email, event.action, and webhook resource name; inspecting webhook URL or in-cluster service target; and looking for downstream pod mutations or blocked security deployments after the change. The rule has a risk score of 47 and a severity of medium.
Categories
- Cloud
- Kubernetes
Data Sources
- Cloud Service
ATT&CK Techniques
- T1546
- T1562
Created: 2026-06-30