Elastic Security Detection Rules

Kubernetes Secret get or list with Suspicious User Agent

Last updated 11 days ago on 2026-04-22
Created 11 days ago on 2026-04-22

About

Detects read access to Kubernetes Secrets (`get`/`list`) with a user agent matching a curated set of non-standard or attacker-leaning clients, for example minimal HTTP tooling, common scripting stacks, default library fingerprints, or distribution-tagged strings associated with offensive-security Linux images. Legitimate in-cluster automation usually presents stable, purpose-specific user agents (for example controller or client-go variants used by known components).
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: Credential AccessLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

False Positive Examples
Operators may use ad hoc HTTP clients, scripts, or penetration-test images during approved exercises or break-glass maintenance; validate tickets, source IP, and identity before treating as compromise. Internal automation built with generic libraries can resemble suspicious user agents; baseline known jobs and tune by service account, namespace, or stable source IP allowlists.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-kubernetes.audit_logs-*
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:"kubernetes.audit_logs" and
event.action:(get or list) and
kubernetes.audit.objectRef.resource:"secrets" and
user_agent.original:(curl* or python* or Python* or wget* or Go-http* or perl* or java* or node* or php* or *distrib#kali* or *kali-amd64 or *kali-arm64*) and
source.ip:*

Install detection rules in Elastic Security

Detect Kubernetes Secret get or list with Suspicious User Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).