heroui logo

GKE Secrets List from Unusual Source AS Organization

Elastic Detection Rules

View Source
Summary
Detects the first-time listing of Kubernetes secrets at cluster-wide scope or within default/kube-system namespaces by a caller originating from an autonomous system (ASN) not attributed to common cloud provider organizations. The rule targets GKE audit activity indicating potential remote secret enumeration using stolen credentials from an unusual network. It triggers on new terms found in user.email and source.as.number within GCP audit logs, specifically when a user lists secrets (including core/v1/namespaces/default/secrets, core/v1/namespaces/kube-system/secrets, or core/v1/secrets) via the Kubernetes API (k8s.io) and the ASN organization is not Google LLC or Microsoft Corporation. The intent is credential access and discovery in a context that could precede secret exfiltration or misuse. The detection uses a history window (now-7d) to emphasize first-time events, with a risk score of 73 and a high severity. Upon match, analysts are advised to confirm whether the listing was authorized, review the source ASN organization and IP, and correlate with follow-on secret access (get/exec) activity. False positives include legitimate first-time admin access from a new office or VPN provider. The rule is designed to complement an existing GCP Fleet integration with GKE audit logs enabled, and it maps to MITRE ATT&CK techniques T1552 (Unsecured Credentials, container API) and T1613 (Container and Resource Discovery) under the Credential Access and Discovery tactics. Investigation guidance and references to ATT&CK are included in the rule’s notes.
Categories
  • Cloud
  • Kubernetes
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1552
  • T1552.007
  • T1613
Created: 2026-06-30