Kubernetes Potential Endpoint Permission Enumeration Attempt Detected

Last updated 2 days ago on 2026-02-09

Created 9 days ago on 2026-02-02

About

This rule detects potential endpoint enumeration attempts by a single user and source IP address. By looking for a combination of failed/successful API requests across multiple endpoints and a limited number of documents, this rule can detect automated permission enumeration attempts. This behavior is uncommon for regular Kubernetes clusters.

Tags

Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: DiscoveryLanguage: esql

Severity

medium

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

↳ Container and Resource Discovery (T1613)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack: Prebuilt Security Detection Rules
Related Integrations: kubernetes(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗from logs-kubernetes.audit_logs-* metadata _id, _index, _version
| where kubernetes.audit.stage == "ResponseComplete" and kubernetes.audit.verb in ("get", "list", "watch", "create", "update", "patch")
| stats
  Esql.document_count = count(),
  Esql.kubernetes_audit_annotations_authorization_k8s_io_decision_count_distinct = count_distinct(`kubernetes.audit.annotations.authorization_k8s_io/decision`),
  Esql.kubernetes_audit_verb_count_distinct = count_distinct(kubernetes.audit.verb),
  Esql.kubernetes_audit_requestURI_count_distinct = count_distinct(kubernetes.audit.requestURI),
  Esql.kubernetes_audit_objectRef_resource_count_distinct = count_distinct(kubernetes.audit.objectRef.resource),
  
  Esql.kubernetes_audit_responseStatus_message_values = values(kubernetes.audit.responseStatus.message),
  Esql.kubernetes_audit_verb_values = values(kubernetes.audit.verb),
  Esql.kubernetes_audit_responseStatus_code_values = values(kubernetes.audit.responseStatus.code),
  Esql.kubernetes_audit_objectRef_resource_values = values(kubernetes.audit.objectRef.resource),
  Esql.kubernetes_audit_objectRef_namespace_values = values(kubernetes.audit.objectRef.namespace),
  Esql.kubernetes_audit_user_username_values = values(kubernetes.audit.user.username),
  Esql.kubernetes_audit_user_groups_values = values(kubernetes.audit.user.groups),
  Esql.kubernetes_audit_requestURI_values = values(kubernetes.audit.requestURI),
  Esql.kubernetes_audit_userAgent_values = values(kubernetes.audit.userAgent),
  Esql.data_stream_namespace_values = values(data_stream.namespace)
  
  by kubernetes.audit.user.username, kubernetes.audit.sourceIPs
| where
  Esql.kubernetes_audit_annotations_authorization_k8s_io_decision_count_distinct == 2 and
  Esql.kubernetes_audit_requestURI_count_distinct > 5 and
  Esql.kubernetes_audit_objectRef_resource_count_distinct > 3 and
  Esql.document_count < 75
| keep Esql.*, kubernetes.audit.user.username, kubernetes.audit.sourceIPs

Install detection rules in Elastic Security

Detect Kubernetes Potential Endpoint Permission Enumeration Attempt Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).