← Back to Explore
elastichighTTP
Kubernetes Secrets List Across Cluster or Sensitive Namespaces
Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote clients.
Detection Query
event.dataset:"kubernetes.audit_logs" and event.action:list and
kubernetes.audit.objectRef.resource:secrets and
kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and
source.ip:(* and not ("::1" or "127.0.0.1")) and
not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) and
not kubernetes.audit.user.groups:"system:serviceaccounts:ibm-csi"
Author
Elastic
Created
2026/04/22
Data Sources
Kuberneteslogs-kubernetes.audit_logs-*
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: Credential AccessTactic: DiscoveryResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/04/22"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/05/11"
[rule]
author = ["Elastic"]
description = """
Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide
secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote
clients.
"""
from = "now-6m"
index = ["logs-kubernetes.audit_logs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Secrets List Across Cluster or Sensitive Namespaces"
note = """## Triage and analysis
### Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces
Audit events for `list` on the `secrets` resource against `/api/v1/secrets`, paginated cluster lists, or namespace-scoped
lists under `kube-system` or `default`, from a source IP that is not localhost.
### Investigation steps
- Confirm the actor (`user.name`, groups) and whether the client is expected (CI, admin bastion, controller).
- Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source.
- Assess exposure: cluster-wide secret listing can surface many credentials.
### False positives
- Legitimate controllers or operators listing secrets in `kube-system` / `default` from cluster nodes may match; tune by
source IP, user agent, or service account as needed.
"""
references = [
"https://attack.mitre.org/techniques/T1552/007/",
]
risk_score = 73
rule_id = "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b"
severity = "high"
tags = [
"Data Source: Kubernetes",
"Domain: Kubernetes",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Discovery",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:"kubernetes.audit_logs" and event.action:list and
kubernetes.audit.objectRef.resource:secrets and
kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and
source.ip:(* and not ("::1" or "127.0.0.1")) and
not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) and
not kubernetes.audit.user.groups:"system:serviceaccounts:ibm-csi"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"