Elastic Security Detection Rules

Kubernetes Denied Service Account Request via Unusual User Agent

Last updated 8 days ago on 2026-01-30
Created 3 years ago on 2022-09-13

About

This rule detects when a service account makes an unauthorized request for resources from the API server via an unusual user agent. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: DiscoveryLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

Container and Resource Discovery (T1613)(external, opens in a new tab or window)

False Positive Examples
Unauthorized requests from service accounts are normal and expected behavior. Analyze the user agent, pod and other node information to determine if the request is legitimate.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
event.dataset:"kubernetes.audit_logs" and
kubernetes.audit.user.username:system\:serviceaccount\:* and
kubernetes.audit.annotations.authorization_k8s_io/decision:"forbid" and
kubernetes.audit.userAgent:(* and not (*kubernetes/$Format or karpenter or csi-secrets-store* or OpenAPI-Generator* or Prometheus* or dashboard* or cilium-agent*))

Install detection rules in Elastic Security

Detect Kubernetes Denied Service Account Request via Unusual User Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).