[New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces (#5966)

* [New] Kubernetes Secrets List Across Cluster or Sensitive Namespaces

Detects `list` operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide secrets or list operations under `kube-system` or `default`. Useful for spotting broad secret enumeration from remote clients.

* Update credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml

* Update credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml

* Update rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

rules/integrations/kubernetes/credential_access_kubernetes_secrets_list_cluster_and_sensitive_namespaces.toml

@@ -0,0 +1,90 @@
+[metadata]
+creation_date = "2026/04/22"
+integration = ["kubernetes"]
+maturity = "production"
+updated_date = "2026/04/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide
+secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote
+clients.
+"""
+from = "now-6m"
+index = ["logs-kubernetes.audit_logs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Kubernetes Secrets List Across Cluster or Sensitive Namespaces"
+note = """## Triage and analysis
+
+### Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces
+
+Audit events for `list` on the `secrets` resource against `/api/v1/secrets`, paginated cluster lists, or namespace-scoped
+lists under `kube-system` or `default`, from a source IP that is not localhost.
+
+### Investigation steps
+
+- Confirm the actor (`user.name`, groups) and whether the client is expected (CI, admin bastion, controller).
+- Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source.
+- Assess exposure: cluster-wide secret listing can surface many credentials.
+
+### False positives
+
+- Legitimate controllers or operators listing secrets in `kube-system` / `default` from cluster nodes may match; tune by
+  source IP, user agent, or service account as needed.
+"""
+references = [
+    "https://attack.mitre.org/techniques/T1552/007/",
+]
+risk_score = 73
+rule_id = "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b"
+severity = "high"
+tags = [
+    "Data Source: Kubernetes",
+    "Domain: Kubernetes",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Tactic: Discovery",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+query = '''
+event.dataset:"kubernetes.audit_logs" and event.action:list and 
+kubernetes.audit.objectRef.resource:secrets and 
+kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and 
+source.ip:(* and not ("::1" or "127.0.0.1")) and 
+not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1552.007"
+name = "Container API"
+reference = "https://attack.mitre.org/techniques/T1552/007/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1613"
+name = "Container and Resource Discovery"
+reference = "https://attack.mitre.org/techniques/T1613/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"