
Summary
This rule monitors GKE audit logs in Google Cloud through the GCP Fleet integration. It aggregates failed Kubernetes API requests per user.email, source IP, and user_agent within five-minute windows and raises an alert when the number of failed actions reaches or exceeds 10 in a window. It excludes known system accounts to reduce noise and focuses on non-system users to detect credential stuffing, RBAC probing, or token abuse that could precede privilege escalation. The detection flags include: a burst of failed operations (event.outcome == 'failure' and event.type != 'allowed'), non-null user.email, and a burst across multiple actions and resources in a given namespace. The rule reports the set of distinct actions and resource names associated with the failures for investigation. It maps to MITRE ATT&CK technique T1613 (Container and Resource Discovery) under Discovery, indicating potential reconnaissance or discovery activity targeting Kubernetes resources. The rule ingests data from Cloud Audit logs (GCP), and requires GKE audit logging enabled via the GCP Fleet integration.
Categories
- Cloud
- Kubernetes
Data Sources
- Cloud Service
ATT&CK Techniques
- T1613
Created: 2026-06-30