Elastic Security Detection Rules

Kubernetes Rapid Secret GET Activity Against Multiple Objects

Last updated 11 days ago on 2026-04-22
Created 11 days ago on 2026-04-22

About

This rule detects an unusual volume of Kubernetes API get requests against multiple distinct Secret objects from the same client fingerprint (user, source IP, and user agent) within a defined lookback window. This can indicate credential access or in-cluster reconnaissance, where a user or token is used to enumerate and retrieve sensitive data such as service account tokens, registry credentials, TLS material, or application configuration. Failed get requests are also included, as they may reveal RBAC boundaries, confirm the existence of targeted secrets, or reflect automated probing activity.
Tags
Data Source: KubernetesDomain: KubernetesUse Case: Threat DetectionTactic: Credential AccessLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Credential Access (TA0006)(external, opens in a new tab or window)

Unsecured Credentials (T1552)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

kubernetes(external, opens in a new tab or window)

Query
text code block:
from logs-kubernetes.audit_logs-* metadata _id, _index, _version
| where event.dataset == "kubernetes.audit_logs"
    and event.action == "get"
    and kubernetes.audit.objectRef.resource == "secrets"
    and source.ip is not null and user.name is not null 
    and not to_string(source.ip) in ("127.0.0.1", "::1") and 
    not user.name in ("system:kube-controller-manager", "system:kube-scheduler") and 
    not kubernetes.audit.objectRef.name like "sh.helm.release.*"
| stats
    Esql.unique_credentials = count_distinct(kubernetes.audit.objectRef.name),
    Esql.secrets_names = values(kubernetes.audit.objectRef.name),
    Esql.namespaces = values(kubernetes.audit.objectRef.namespace),
    Esql.outcome = values(`kubernetes.audit.annotations.authorization_k8s_io/decision`)
  by user.name, source.ip, user_agent.original
| where Esql.unique_credentials >= 3
| KEEP user.name, source.ip, user_agent.original, Esql.*

Install detection rules in Elastic Security

Detect Kubernetes Rapid Secret GET Activity Against Multiple Objects in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).