Kubernetes Anonymous User Create/Update/Patch Pods Request

[metadata]
creation_date = "2026/02/02"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
This rule detects attempts to create, update, or patch pods by an anonymous user. An anonymous user is a user that
is not authenticated or authorized to access the Kubernetes API server. Creating, updating, or patching pods is a common
activity for attackers to gain access to the cluster and execute commands.
"""
index = ["logs-kubernetes.audit_logs-*"]
language = "eql"
license = "Elastic License v2"
name = "Kubernetes Anonymous User Create/Update/Patch Pods Request"
risk_score = 47
rule_id = "3a01e5c6-ce01-46d7-ac9f-52dc349695fb"
severity = "medium"
tags = [
    "Data Source: Kubernetes",
    "Domain: Kubernetes",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Resources: Investigation Guide"
    ]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where data_stream.dataset == "kubernetes.audit_logs" and (
    kubernetes.audit.user.username in ("system:anonymous", "system:unauthenticated") or
    kubernetes.audit.user.username == null or
    kubernetes.audit.user.username == ""
  ) and kubernetes.audit.level in ("RequestResponse", "ResponseComplete", "Request") and kubernetes.audit.verb in ("create", "update", "patch") and
kubernetes.audit.objectRef.resource == "pods"

'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1610"
name = "Deploy Container"
reference = "https://attack.mitre.org/techniques/T1610/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"