
Summary
Detects the first occurrence of a non-system Google Kubernetes Engine (GKE) identity establishing an exec session into a pod. The rule monitors GCP audit logs (data_stream.dataset:gcp.audit) for Kubernetes exec actions (io.k8s.core.v1.pods.exec.create or io.k8s.core.v1.pods.exec.get) and uses a new_terms approach to flag the first time a given user initiates an exec into any pod within the history window (now-7d). It excludes system identities (not user.email:system:*). The rule is evaluated in a near-real-time window (from now-6m) and is mapped to MITRE ATT&CK technique T1609 (Container Administration Command) under Execution. Investigators should review fields such as user.email, orchestrator.resource.name, source.ip, and user_agent.original, and correlate with any secret access or RBAC changes from the same identity. False positives may include approved admin debugging; exclude known break-glass identities after verification. Setup requires the GCP Fleet integration with GKE audit logs enabled. References include Kubernetes documentation on shell access to containers. The rule aids in detecting potential post-compromise activity attempting to access secrets or expand access within pods.
Categories
- Cloud
- GCP
- Kubernetes
- Containers
Data Sources
- Cloud Service
- Command
ATT&CK Techniques
- T1609
Created: 2026-06-30