diff --git a/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml new file mode 100644 index 000000000..bc3aff2b5 --- /dev/null +++ b/rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml @@ -0,0 +1,90 @@ +[metadata] +creation_date = "2026/04/22" +integration = ["kubernetes"] +maturity = "production" +updated_date = "2026/04/22" + +[rule] +author = ["Elastic"] +description = """ +Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide +secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote +clients. +""" +from = "now-6m" +index = ["logs-kubernetes.audit_logs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Kubernetes Secrets List Across Cluster or Sensitive Namespaces" +note = """## Triage and analysis + +### Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces + +Audit events for `list` on the `secrets` resource against `/api/v1/secrets`, paginated cluster lists, or namespace-scoped +lists under `kube-system` or `default`, from a source IP that is not localhost. + +### Investigation steps + +- Confirm the actor (`user.name`, groups) and whether the client is expected (CI, admin bastion, controller). +- Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source. +- Assess exposure: cluster-wide secret listing can surface many credentials. + +### False positives + +- Legitimate controllers or operators listing secrets in `kube-system` / `default` from cluster nodes may match; tune by + source IP, user agent, or service account as needed. +""" +references = [ + "https://attack.mitre.org/techniques/T1552/007/", +] +risk_score = 73 +rule_id = "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b" +severity = "high" +tags = [ + "Data Source: Kubernetes", + "Domain: Kubernetes", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "query" +query = ''' +event.dataset:"kubernetes.audit_logs" and event.action:list and +kubernetes.audit.objectRef.resource:secrets and +kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and +source.ip:(* and not ("::1" or "127.0.0.1")) and +not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" + +[[rule.threat.technique.subtechnique]] +id = "T1552.007" +name = "Container API" +reference = "https://attack.mitre.org/techniques/T1552/007/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1613" +name = "Container and Resource Discovery" +reference = "https://attack.mitre.org/techniques/T1613/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/"