EXPLORE
← Back to Explore
elastichighTTP

GKE Secrets List from Unusual Source AS Organization

Detects the first time a human GKE caller lists secrets cluster-wide or in default or kube-system from a source autonomous system that is not attributed to common cloud provider organizations. This can indicate remote secret enumeration using stolen credentials from an unusual network.

MITRE ATT&CK

credential-accessdiscovery

Detection Query

data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.action:io.k8s.core.v1.secrets.list and gcp.audit.resource_name:(core/v1/namespaces/default/secrets or core/v1/namespaces/kube-system/secrets or core/v1/secrets) and user.email:*@* and source.as.organization.name:(* and not ("Google LLC" or "Microsoft Corporation")) and source.as.number:*

Author

Elastic

Created

2026/06/30

Data Sources

GCPGoogle Cloud Platformlogs-gcp.audit-*

Tags

Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: Credential AccessTactic: DiscoveryResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/06/30"
integration = ["gcp"]
maturity = "production"
updated_date = "2026/06/30"

[rule]
author = ["Elastic"]
description = """
Detects the first time a human GKE caller lists secrets cluster-wide or in default or kube-system from a source
autonomous system that is not attributed to common cloud provider organizations. This can indicate remote secret
enumeration using stolen credentials from an unusual network.
"""
false_positives = [
    """
    Engineers listing secrets from home ISP or corporate VPN AS names may match until baselined. GeoIP organization
  labels vary by vendor; tune exclusions after validation.
    """,
]
from = "now-6m"
index = ["logs-gcp.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "GKE Secrets List from Unusual Source AS Organization"
note = """## Triage and analysis

### Investigating GKE Secrets List from Unusual Source AS Organization

New-terms rule on `user.email` and `source.as.number` for cluster-wide or sensitive namespace secret list operations.

### Investigation steps

- Confirm `gcp.audit.resource_name` and whether listing was authorized.
- Review `source.ip`, `source.as.organization.name`, and follow-on secret get or exec activity.

### False positives

- First-time legitimate admin access from a new office or VPN provider.

## Setup

The GCP Fleet integration with GKE audit logs enabled is required to be compatible with this rule."""
references = [
    "https://attack.mitre.org/techniques/T1552/007/",
]
risk_score = 73
rule_id = "4df2e3ae-3553-4194-b22e-3e5a6f71466e"
severity = "high"
tags = [
    "Domain: Cloud",
    "Domain: Kubernetes",
    "Data Source: GCP",
    "Data Source: Google Cloud Platform",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Tactic: Discovery",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
data_stream.dataset:gcp.audit and service.name:"k8s.io" and event.action:io.k8s.core.v1.secrets.list and gcp.audit.resource_name:(core/v1/namespaces/default/secrets or core/v1/namespaces/kube-system/secrets or core/v1/secrets) and user.email:*@* and source.as.organization.name:(* and not ("Google LLC" or "Microsoft Corporation")) and source.as.number:*
'''

[rule.new_terms]
field = "new_terms_fields"
value = ["user.email", "source.as.number"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"