GKE API Request Failure Burst by User

Last updated 8 days ago on 2026-06-30
Created 8 days ago on 2026-06-30

About

Detects bursts of failed GKE API requests from a single user identity within a five-minute window. Repeated authorization failures across multiple actions can indicate credential stuffing, RBAC probing, or reconnaissance with stolen tokens.
Tags
Domain: CloudDomain: KubernetesData Source: GCPData Source: Google Cloud PlatformUse Case: Threat DetectionTactic: DiscoveryLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

gcp(external, opens in a new tab or window)

Query
text code block:
from logs-gcp.audit-* metadata _id, _index, _version | eval Esql.time_interval = date_trunc(5 minutes, @timestamp) | where data_stream.dataset == "gcp.audit" and service.name == "k8s.io" and event.outcome == "failure" and event.type != "allowed" and user.email is not null and not to_string(user.email) rlike "(system:serviceaccount:|system:gke-spiffe-controller|system:kube-scheduler|system:node:).*" | stats Esql.unique_actions = count_distinct(event.action), Esql.failures_count = count(*), Esql.actions = values(event.action), Esql.resources = values(orchestrator.resource.name) by user.email, source.ip, user_agent.original, data_stream.namespace, Esql.time_interval | where Esql.failures_count >= 10 | keep Esql.*, user.email, source.ip, user_agent.original, data_stream.namespace

Install detection rules in Elastic Security

Detect GKE API Request Failure Burst by User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).