GKE Rapid Secret GET Activity Against Multiple Objects

Last updated 7 days ago on 2026-07-07
Created 7 days ago on 2026-07-07

About

Detects an unusual volume of GKE API get requests against multiple distinct Secret objects from the same client fingerprint (user, source IP, and user agent) within the rule lookback window. This can indicate credential access or in-cluster reconnaissance, where a user or token is used to enumerate and retrieve sensitive data such as service account tokens, registry credentials, TLS material, or application configuration. Failed get requests are included and can signal RBAC probing; system service accounts are excluded only when secret reads succeed, since failed secret access by a service account may indicate compromise or misconfiguration worth investigating.
Tags
Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: Credential AccessLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

False Positive Examples
Startup, Helm, or controllers may legitimately touch many secrets in one window; tune by client.user.email, namespace, or IP allowlists when baselined.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

gcp(external, opens in a new tab or window)

Query
text code block:
from logs-gcp.audit-* metadata _id, _index, _version | where data_stream.dataset == "gcp.audit" and service.name == "k8s.io" and event.action == "io.k8s.core.v1.secrets.get" and source.ip is not null and client.user.email is not null and not to_string(source.ip) in ("127.0.0.1", "::1") and not ( (client.user.email in ("system:kube-controller-manager", "system:kube-scheduler") or client.user.email like "system:serviceaccount:*") and event.outcome == "success" ) and not gcp.audit.resource_name like "*sh.helm.release.*" | stats Esql.gcp_audit_resource_name_count_distinct = count_distinct(gcp.audit.resource_name), Esql.gcp_audit_resource_name_values = values(gcp.audit.resource_name), Esql.event_outcome_values = values(event.outcome), Esql.timestamp_values = values(@timestamp) by client.user.email, source.ip, user_agent.original | where Esql.gcp_audit_resource_name_count_distinct >= 3 | keep client.user.email, source.ip, user_agent.original, Esql.gcp_audit_resource_name_count_distinct, Esql.gcp_audit_resource_name_values, Esql.event_outcome_values, Esql.timestamp_values

Install detection rules in Elastic Security

Detect GKE Rapid Secret GET Activity Against Multiple Objects in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).