EXPLORE
Sign In
← Back to Explore
elastichighTTP

Kubernetes Secret get or list with Suspicious User Agent

Detects read access to Kubernetes Secrets (`get`/`list`) with a user agent matching a curated set of non-standard or attacker-leaning clients, for example minimal HTTP tooling, common scripting stacks, default library fingerprints, or distribution-tagged strings associated with offensive-security Linux images. Legitimate in-cluster automation usually presents stable, purpose-specific user agents (for example controller or client-go variants used by known components).

MITRE ATT&CK

T1552T1552.007
credential-access

Detection Query

data_stream.dataset:"kubernetes.audit_logs" and
event.action:(get or list) and
kubernetes.audit.objectRef.resource:"secrets" and
user_agent.original:(curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64 or *kali-arm64*) and
source.ip:*

Author

Elastic

Created

2026/04/22

Data Sources

Kuberneteslogs-kubernetes.audit_logs-*

References

Tags

Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: Credential AccessResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/04/22"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/04/22"

[rule]
author = ["Elastic"]
description = """
Detects read access to Kubernetes Secrets (`get`/`list`) with a user agent matching a curated set of non-standard or 
attacker-leaning clients, for example minimal HTTP tooling, common scripting stacks, default library fingerprints, or
distribution-tagged strings associated with offensive-security Linux images. Legitimate in-cluster automation usually 
presents stable, purpose-specific user agents (for example controller or client-go variants used by known components). 
"""
false_positives = [
    """
    Operators may use ad hoc HTTP clients, scripts, or penetration-test images during approved exercises or break-glass
    maintenance; validate tickets, source IP, and identity before treating as compromise.
    """,
    """
    Internal automation built with generic libraries can resemble suspicious user agents; baseline known jobs and tune
    by service account, namespace, or stable source IP allowlists.
    """,
]
index = ["logs-kubernetes.audit_logs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Secret get or list with Suspicious User Agent"
note = """## Triage and analysis

### Investigating Kubernetes Secret get or list with Suspicious User Agent

The rule matches Kubernetes audit events for **secret** `get`/`list` where **`user_agent.original`** matches a **small
allowlist of suspicious patterns** (scripting runtimes, bare HTTP clients, and known offensive-distro markers) and
**`source.ip` is populated**. It is meant to highlight **credential access** where the client fingerprint does not look
like routine kubectl or well-known controller traffic relative to your environment.

### Possible investigation steps

- Tie `user.name` (and `kubernetes.audit.impersonatedUser.*` if present) to a human, service account, or cloud identity
  and validate whether that principal should use this user-agent profile against the targeted namespaces and secret names.
- Review `kubernetes.audit.objectRef.namespace` and `kubernetes.audit.objectRef.name` for high-value objects (service
  account tokens, cloud IAM bindings, registry pulls, TLS bundles).
- Pivot on `source.ip` in VPC flow, VPN, or proxy logs to determine origin (employee laptop, compromised host, cloud
  instance) and correlate with other API bursts or exec activity.
- Check `kubernetes.audit.annotations.authorization_k8s_io/decision` for successful reads versus failed probing.

### False positive analysis

- CI, GitOps, or one-off scripts can emit generic user agents with broad RBAC; exclude stable pipelines and service
  accounts after review.
- Local API server loopback may still populate `source.ip` in some topologies; compare with expected control-plane paths.

### Response and remediation

- If unauthorized, rotate affected secrets and credentials, revoke tokens or kubeconfigs for the identity, tighten RBAC,
  and block or isolate the source host at the network edge to the API server where appropriate.
"""
references = [
    "https://attack.mitre.org/techniques/T1552/007/",
    "https://kubernetes.io/docs/concepts/configuration/secret/",
]
risk_score = 73
rule_id = "a4c8e901-2b7f-4d6e-9a3c-8e1f0d5b6c2a"
severity = "high"
tags = [
    "Data Source: Kubernetes",
    "Domain: Kubernetes",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"kubernetes.audit_logs" and
event.action:(get or list) and
kubernetes.audit.objectRef.resource:"secrets" and
user_agent.original:(curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64 or *kali-arm64*) and
source.ip:*
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"