Elastic Security Detection Rules

Kubernetes Suspicious Self-Subject Review via Unusual User Agent

Last updated 8 days ago on 2026-01-30
Created 4 years ago on 2022-06-30

About

This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs via an unusual user agent. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: DiscoveryLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

Container and Resource Discovery (T1613)(external, opens in a new tab or window)

False Positive Examples
An administrator may submit this request as an "impersonatedUser" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
event.dataset : "kubernetes.audit_logs" and
kubernetes.audit.annotations.authorization_k8s_io/decision:"allow" and
kubernetes.audit.verb:"create" and
kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and (
  kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or
  kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*)
) and kubernetes.audit.userAgent:(* and not (*kubernetes/$Format))

Install detection rules in Elastic Security

Detect Kubernetes Suspicious Self-Subject Review via Unusual User Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).