GKE Unusual Sensitive Workload Modification

Last updated 9 days ago on 2026-07-10
Created 9 days ago on 2026-07-10

About

Detects the first occurrence of create or patch activity against sensitive GKE workloads (DaemonSets, Deployments, or CronJobs) from an unusual combination of user agent, source IP, and user identity, which may indicate privilege escalation or unauthorized access within the cluster.
Tags
Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: Privilege EscalationTactic: PersistenceLanguage: kuery
Severity
low
Risk Score
21
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

False Positive Examples
Emergency kubectl changes, VPN or workstation migrations, and CI runner rotation can produce new user agent, source IP, and username combinations for authorized operators. Baseline expected automation before tuning.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-gcp.audit-*
Related Integrations

gcp(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:gcp.audit and service.name:k8s.io and event.outcome:success and user_agent.original:* and client.user.email:(* and not system\:*) and source.ip:* and event.action:(io.k8s.apps.v1.daemonsets.create or io.k8s.apps.v1.daemonsets.patch or io.k8s.apps.v1.deployments.create or io.k8s.apps.v1.deployments.patch or io.k8s.batch.v1.cronjobs.create or io.k8s.batch.v1.cronjobs.patch)

Install detection rules in Elastic Security

Detect GKE Unusual Sensitive Workload Modification in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).