Kubernetes Service Account Token Created via TokenRequest API

Last updated 2 months ago on 2026-05-05

Created 2 months ago on 2026-05-05

About

Detects the creation of a Kubernetes service account token through the TokenRequest API by a non-system identity. The TokenRequest API allows users and workloads to programmatically generate short-lived tokens for any service account they have create permissions on, without accessing the filesystem or the mounted projected token. Attackers who have gained initial access to a cluster can abuse this API to mint tokens for more privileged service accounts, pivot to cloud provider resources via IRSA/workload identity, or generate long-lived tokens that persist beyond pod termination. Unlike mounted service account tokens which are detectable through file access monitoring, tokens created via the TokenRequest API leave no filesystem footprint, they are only visible in Kubernetes audit logs as a create verb on the serviceaccounts/token subresource. This rule excludes legitimate system components such as the kubelet, kube-controller-manager, and cloud provider managed identities (EKS, AKS, GKE) that routinely create tokens for pod lifecycle management.

Tags

Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: Credential AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

↳ Unsecured Credentials (T1552)(external, opens in a new tab or window)

False Positive Examples

New automation, admission webhooks, or platform agents that legitimately call the TokenRequest API under a non-standard user string may require narrow exclusions by user.name or source IP.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-kubernetes.audit_logs-*
Related Integrations: kubernetes(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.verb:"create" and
kubernetes.audit.objectRef.resource:"serviceaccounts" and
kubernetes.audit.objectRef.subresource:"token" and
user.name:(* and not 
 (system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:node\:* or
  system\:serviceaccount\:kube-system\:* or
  eks\:* or
  aksService or
  aks-service or
  masterclient or
  nodeclient or
  system\:serviceaccount\:gke-managed-system\:* or
  system\:serviceaccount\:gke-connect\:* or
  system\:serviceaccount\:anthos-identity-service\:* or
  system\:gke-controller-manager or
  system\:serviceaccount\:tigera-operator\:* or
  system\:serviceaccount\:calico-system\:*))

Install detection rules in Elastic Security

Detect Kubernetes Service Account Token Created via TokenRequest API in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).