
Summary
Detects successful GKE secret get or list operations where the client’s user agent fingerprint resembles scripting runtimes or common offensive-distribution fingerprints rather than typical kubectl/controller traffic. The rule targets GCP audit logs (data_stream.dataset:gcp.audit) with service.name:"k8s.io", event.outcome:success, and event.action: ("io.k8s.core.v1.secrets.list" or "io.k8s.core.v1.secrets.get"). It also requires user_agent.original to match patterns like curl*, python*, wget*, Go-http*, perl*, java*, node*, php*, or fingerprint strings associated with Kali or similar tooling. This indicates potential credential access against Kubernetes Secrets via the Container API. The detection aligns with MITRE ATT&CK: T1552 (Unsecured Credentials) with subtechnique T1552.007 (Container API) under the Credential Access tactic (TA0006). The rule emphasizes investigating whether the identity should access secrets with this client fingerprint, and prompting pivots on source IP to identify bursts, RBAC changes, or related activity. It includes guidance to differentiate false positives from internal automation and to review related tickets and scope. Setup requires enabling the GCP Fleet integration with GKE audit logs. Severity is high with a risk score of 73, reflecting the sensitivity of secret access events and the potential for credential compromise in Kubernetes environments.
Categories
- Cloud
- GCP
- Kubernetes
- Containers
Data Sources
- Cloud Service
ATT&CK Techniques
- T1552
- T1552.007
Created: 2026-06-30