← Back to Explore
elastichighTTP
GKE Secret get or list with Suspicious User Agent
Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.
Detection Query
data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
event.action:("io.k8s.core.v1.secrets.list" or "io.k8s.core.v1.secrets.get") and user_agent.original:(
curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64* or
*kali-arm64* or Bun* or axios* or undici*
)
Author
Elastic
Created
2026/06/30
Data Sources
GCPGoogle Cloud Platformlogs-gcp.audit-*
Tags
Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: Credential AccessResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/30"
integration = ["gcp"]
maturity = "production"
updated_date = "2026/06/30"
[rule]
author = ["Elastic"]
description = """
Detects successful GKE secret get or list operations where the user agent matches scripting runtimes, minimal HTTP
clients, or offensive-distribution fingerprints rather than typical kubectl or controller traffic.
"""
false_positives = [
"""
Approved scripts, CI jobs, or penetration tests may use generic HTTP clients. Validate tickets and identity scope
before treating as compromise.
""",
]
index = ["logs-gcp.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "GKE Secret get or list with Suspicious User Agent"
note = """## Triage and analysis
### Investigating GKE Secret get or list with Suspicious User Agent
Review `user.email`, `user_agent.original`, targeted secret resource, and `source.ip`.
### Investigation steps
- Confirm whether the identity should access secrets with this client fingerprint.
- Pivot on source IP for other API bursts, exec, or RBAC changes.
### False positives
- Internal automation using generic libraries; exclude stable service accounts after review.
## Setup
The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
references = [
"https://attack.mitre.org/techniques/T1552/007/",
]
risk_score = 73
rule_id = "0c04d82f-6def-4659-aa62-ed6355a51f39"
severity = "high"
tags = [
"Domain: Cloud",
"Domain: Kubernetes",
"Data Source: GCP",
"Data Source: Google Cloud Platform",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.outcome:success and
event.action:("io.k8s.core.v1.secrets.list" or "io.k8s.core.v1.secrets.get") and user_agent.original:(
curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64* or
*kali-arm64* or Bun* or axios* or undici*
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"