Credential Access (TA0006)(external, opens in a new tab or window)
text code block:from logs-gcp.audit-* metadata _id, _index, _version | where data_stream.dataset == "gcp.audit" and service.name == "k8s.io" and event.action == "io.k8s.core.v1.secrets.get" and source.ip is not null and client.user.email is not null and not to_string(source.ip) in ("127.0.0.1", "::1") and not ( (client.user.email in ("system:kube-controller-manager", "system:kube-scheduler") or client.user.email like "system:serviceaccount:*") and event.outcome == "success" ) and not gcp.audit.resource_name like "*sh.helm.release.*" | stats Esql.gcp_audit_resource_name_count_distinct = count_distinct(gcp.audit.resource_name), Esql.gcp_audit_resource_name_values = values(gcp.audit.resource_name), Esql.event_outcome_values = values(event.outcome), Esql.timestamp_values = values(@timestamp) by client.user.email, source.ip, user_agent.original | where Esql.gcp_audit_resource_name_count_distinct >= 3 | keep client.user.email, source.ip, user_agent.original, Esql.gcp_audit_resource_name_count_distinct, Esql.gcp_audit_resource_name_values, Esql.event_outcome_values, Esql.timestamp_values
Install detection rules in Elastic Security
Detect GKE Rapid Secret GET Activity Against Multiple Objects in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).