Kubernetes Denied Service Account Request

Last updated 2 months ago on 2025-06-18

Created 3 years ago on 2022-09-13

About

This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.

Tags

Data Source: KubernetesTactic: DiscoveryLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(opens in a new tab or window)

False Positive Examples

Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-kubernetes.audit_logs-*
Related Integrations: kubernetes(opens in a new tab or window)
Query

event.dataset: "kubernetes.audit_logs"
  and kubernetes.audit.user.username: system\:serviceaccount\:*
  and kubernetes.audit.annotations.authorization_k8s_io/decision: "forbid"

Install detection rules in Elastic Security

Detect Kubernetes Denied Service Account Request in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).