
Summary
Detects the first create or patch action against sensitive GKE workloads (DaemonSet, Deployment, CronJob) that originates from an unseen combination of user_agent.original, source.ip, and client.user.email. Using GCP audit logs (gcp.audit) and Kubernetes API activity (k8s.io), it flags new actor-network-user combinations for workload modification events (io.k8s.apps.v1.daemonsets.*, io.k8s.apps.v1.deployments.*, io.k8s.batch.v1.cronjobs.*) where the event outcome is success and the client identity is not a known system account. This serves as an indicator of potential privilege escalation or unauthorized access within the cluster. The rule is a new_terms signal that triggers on the first occurrence of such a combination within a history window (now-7d) and detects the first create/patch within the last 6 minutes (from now-6m). It correlates with MITRE ATT&CK techniques T1098 (Account Manipulation, with T1098.006 Additional Container Cluster Roles) and maps to Privilege Escalation (TA0004) and Persistence (TA0003). The setup requires the GCP Fleet integration with GKE audit logs enabled. Operational guidance includes reviewing image/command changes, validating identity, and tightening RBAC on workload controllers. False positives may occur during legitimate admin operations or CI/workstation rotations, which should be considered during tuning.
Categories
- Cloud
- Kubernetes
- Containers
Data Sources
- Cloud Service
- Application Log
ATT&CK Techniques
- T1098
- T1098.006
Created: 2026-07-10