
Summary
Detects when a Google Kubernetes Engine (GKE) non-human identity (service account or node identity) calls the Kubernetes API to perform self-subject access reviews or self-subject rule reviews (SelfSubjectAccessReview / SelfSubjectRulesReview) via GCP audit logs. This behavior is unusual for non-human identities and can indicate stolen or leaked tokens probing effective RBAC and permissions. The rule targets gcp.audit logs for Kubernetes API activity involving io.k8s.authorization.v1.selfsubjectaccessreviews.create or io.k8s.authorization.v1.selfsubjectrulesreviews.create, specifically from identities such as system:serviceaccount:* and system:node:*, while excluding known legitimate accounts (e.g., certain Argo or Datadog service accounts). It emphasizes fields like user.email and event.action to identify the caller and the action, and suggests correlating with denied requests, secret access, or RBAC changes originating from the same identity. The detection maps to MITRE ATT&CK Discovery techniques (T1069 Cloud Groups and T1613 Container and Resource Discovery) under the Discovery tactic (TA0007). Setup requires the GCP Fleet integration with GKE audit logs enabled. For triage, review the calling service account or node identity and subsequent API activity, correlate with RBAC changes or secret access from the same identity, and account for false positives from legitimate controllers or impersonation workflows by applying exclusions as needed.
Categories
- Cloud
- Kubernetes
- Containers
- GCP
Data Sources
- Cloud Service
ATT&CK Techniques
- T1069
- T1069.003
- T1613
Created: 2026-06-30