ConfigMaps Kubernetes-configmaps

8 operations, identified by Operation in the audit log.

Operation	Description
get-configmaps
list-configmaps
watch-configmaps
create-configmaps
update-configmaps	ConfigMap modified (e.g. CoreDNS config or aws-auth in kube-system).
patch-configmaps
delete-configmaps
any-configmaps	Synthetic aggregation for rules that filter the configmaps resource with no specific verb. Not a distinct audit record; hosts rule listings that key on objectRef.resource alone.

get-configmaps: get configmaps

Resource: Kubernetes-configmaps

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Esql.timestamp_first_seen`	ge	`NOW() - 9`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`configmaps`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`secrets`	1 rule	elastic
`kubernetes.audit.verb`	in	`delete`	1 rule	elastic
`kubernetes.audit.verb`	in	`get`	1 rule	elastic
`kubernetes.audit.verb`	in	`list`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Secret or ConfigMap Access via Azure Arc Proxy source medium: Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches list-configmaps: list configmaps, create-configmaps: create configmaps, update-configmaps: update configmaps, patch-configmaps: patch configmaps, delete-configmaps: delete configmaps

list-configmaps: list configmaps

Resource: Kubernetes-configmaps

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Esql.timestamp_first_seen`	ge	`NOW() - 9`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`configmaps`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`secrets`	1 rule	elastic
`kubernetes.audit.verb`	in	`delete`	1 rule	elastic
`kubernetes.audit.verb`	in	`get`	1 rule	elastic
`kubernetes.audit.verb`	in	`list`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Secret or ConfigMap Access via Azure Arc Proxy source medium: Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-configmaps: get configmaps, create-configmaps: create configmaps, update-configmaps: update configmaps, patch-configmaps: patch configmaps, delete-configmaps: delete configmaps

watch-configmaps: watch configmaps

Resource: Kubernetes-configmaps

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

create-configmaps: create configmaps

Resource: Kubernetes-configmaps

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Esql.timestamp_first_seen`	ge	`NOW() - 9`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`configmaps`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`secrets`	1 rule	elastic
`kubernetes.audit.verb`	in	`delete`	1 rule	elastic
`kubernetes.audit.verb`	in	`get`	1 rule	elastic
`kubernetes.audit.verb`	in	`list`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Secret or ConfigMap Access via Azure Arc Proxy source medium: Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-configmaps: get configmaps, list-configmaps: list configmaps, update-configmaps: update configmaps, patch-configmaps: patch configmaps, delete-configmaps: delete configmaps

update-configmaps: update configmaps

Resource: Kubernetes-configmaps

Description

ConfigMap modified (e.g. CoreDNS config or aws-auth in kube-system).

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.verb`	in	`delete`	3 rules	elastic
`kubernetes.audit.verb`	in	`patch`	3 rules	elastic
`kubernetes.audit.verb`	in	`update`	3 rules	elastic
`kubernetes.audit.verb`	in	`get`	1 rule	elastic
`kubernetes.audit.verb`	in	`list`	1 rule	elastic
`kubernetes.audit.objectRef.namespace`	eq	`kube-system`	2 rules	elastic
`kubernetes.audit.objectRef.resource`	eq	`configmaps`	2 rules	elastic
`kubernetes.audit.objectRef.resource`	in	`configmaps`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`secrets`	1 rule	elastic
`Esql.timestamp_first_seen`	ge	`NOW() - 9`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Secret or ConfigMap Access via Azure Arc Proxy source medium: Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-configmaps: get configmaps, list-configmaps: list configmaps, create-configmaps: create configmaps, patch-configmaps: patch configmaps, delete-configmaps: delete configmaps
Kubernetes CoreDNS or Kube-DNS Configuration Modified source high: Detects modifications to the CoreDNS or kube-dns ConfigMap in the kube-system namespace. These ConfigMaps control cluster DNS resolution for all pods. An attacker who modifies the CoreDNS Corefile can redirect internal service DNS names to attacker-controlled IP addresses, enabling man-in-the-middle attacks against the Kubernetes API server, database services, and other internal endpoints. Pods that resolve service names via cluster DNS will transparently connect to the attacker instead of the legitimate service, allowing interception of service account tokens, database credentials, and API traffic. DNS poisoning at the cluster level is particularly dangerous because it affects every pod in every namespace simultaneously and does not require any modification to the victim workloads. CoreDNS configuration changes are rare in normal operations and any unexpected modification should be investigated immediately.↳ also matches patch-configmaps: patch configmaps, delete-configmaps: delete configmaps
EKS Authentication Configuration Modified source high: Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.↳ also matches patch-configmaps: patch configmaps, delete-configmaps: delete configmaps

patch-configmaps: patch configmaps

Resource: Kubernetes-configmaps

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.verb`	in	`delete`	3 rules	elastic
`kubernetes.audit.verb`	in	`get`	1 rule	elastic
`kubernetes.audit.verb`	in	`list`	1 rule	elastic
`kubernetes.audit.objectRef.namespace`	eq	`kube-system`	2 rules	elastic
`kubernetes.audit.objectRef.resource`	eq	`configmaps`	2 rules	elastic
`kubernetes.audit.objectRef.resource`	in	`configmaps`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`secrets`	1 rule	elastic
`Esql.timestamp_first_seen`	ge	`NOW() - 9`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes CoreDNS or Kube-DNS Configuration Modified source high: Detects modifications to the CoreDNS or kube-dns ConfigMap in the kube-system namespace. These ConfigMaps control cluster DNS resolution for all pods. An attacker who modifies the CoreDNS Corefile can redirect internal service DNS names to attacker-controlled IP addresses, enabling man-in-the-middle attacks against the Kubernetes API server, database services, and other internal endpoints. Pods that resolve service names via cluster DNS will transparently connect to the attacker instead of the legitimate service, allowing interception of service account tokens, database credentials, and API traffic. DNS poisoning at the cluster level is particularly dangerous because it affects every pod in every namespace simultaneously and does not require any modification to the victim workloads. CoreDNS configuration changes are rare in normal operations and any unexpected modification should be investigated immediately.↳ also matches update-configmaps: update configmaps, delete-configmaps: delete configmaps
EKS Authentication Configuration Modified source high: Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.↳ also matches update-configmaps: update configmaps, delete-configmaps: delete configmaps
Kubernetes Secret or ConfigMap Access via Azure Arc Proxy source medium: Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-configmaps: get configmaps, list-configmaps: list configmaps, create-configmaps: create configmaps, update-configmaps: update configmaps, delete-configmaps: delete configmaps

delete-configmaps: delete configmaps

Resource: Kubernetes-configmaps

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`kubernetes.audit.verb`	in	`delete`	3 rules	elastic
`kubernetes.audit.verb`	in	`get`	1 rule	elastic
`kubernetes.audit.verb`	in	`list`	1 rule	elastic
`kubernetes.audit.objectRef.namespace`	eq	`kube-system`	2 rules	elastic
`kubernetes.audit.objectRef.resource`	eq	`configmaps`	2 rules	elastic
`kubernetes.audit.objectRef.resource`	in	`configmaps`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`secrets`	1 rule	elastic
`Esql.timestamp_first_seen`	ge	`NOW() - 9`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Secret or ConfigMap Access via Azure Arc Proxy source medium: Detects when secrets or configmaps are accessed, created, modified, or deleted in a Kubernetes cluster by the Azure Arc AAD proxy service account. When operations are routed through the Azure Arc Cluster Connect proxy, the Kubernetes audit log records the acting user as system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-configmaps: get configmaps, list-configmaps: list configmaps, create-configmaps: create configmaps, update-configmaps: update configmaps, patch-configmaps: patch configmaps
Kubernetes CoreDNS or Kube-DNS Configuration Modified source high: Detects modifications to the CoreDNS or kube-dns ConfigMap in the kube-system namespace. These ConfigMaps control cluster DNS resolution for all pods. An attacker who modifies the CoreDNS Corefile can redirect internal service DNS names to attacker-controlled IP addresses, enabling man-in-the-middle attacks against the Kubernetes API server, database services, and other internal endpoints. Pods that resolve service names via cluster DNS will transparently connect to the attacker instead of the legitimate service, allowing interception of service account tokens, database credentials, and API traffic. DNS poisoning at the cluster level is particularly dangerous because it affects every pod in every namespace simultaneously and does not require any modification to the victim workloads. CoreDNS configuration changes are rare in normal operations and any unexpected modification should be investigated immediately.↳ also matches update-configmaps: update configmaps, patch-configmaps: patch configmaps
EKS Authentication Configuration Modified source high: Detects modifications to the aws-auth ConfigMap in Amazon EKS clusters. The aws-auth ConfigMap maps AWS IAM roles and users to Kubernetes RBAC groups, an attacker who modifies it can grant any IAM role cluster-admin access by adding a mapping to the system:masters group. This is a well-documented persistence technique that survives pod restarts, node replacements, and RBAC changes because the authentication mapping exists outside of normal Kubernetes Role objects. Modifications to aws-auth are rare in normal operations, the ConfigMap is typically set during cluster provisioning and updated only during node group or access configuration changes.↳ also matches update-configmaps: update configmaps, patch-configmaps: patch configmaps

any-configmaps: any verb on configmaps (synthetic aggregation)

Resource: Kubernetes-configmaps

Description

Synthetic aggregation for rules that filter the configmaps resource with no specific verb. Not a distinct audit record; hosts rule listings that key on objectRef.resource alone.

Fields #

Name	Description
`verb`	The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...).
`objectRef.resource`	The targeted resource type (plural API name, e.g. pods, secrets).
`objectRef.subresource`	The targeted subresource, when present (e.g. exec, log, token).
`objectRef.namespace`	Namespace of the targeted object (empty for cluster-scoped resources).
`objectRef.name`	Name of the targeted object.
`objectRef.apiGroup`	API group of the targeted resource (empty string for core group).
`user.username`	Authenticated identity that issued the request (user or service account).
`user.groups`	Groups of the requesting identity.
`sourceIPs`	Source IP addresses of the request.
`responseStatus.code`	HTTP status code of the API response (200, 201, 403, 404, ...).
`stage`	Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic.
`requestReceivedTimestamp`	Time the apiserver received the request.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`get`	1 rule	elastic
`EventType`	in	`list`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`clusterrolebindings`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`namespaces`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`nodes`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`pods`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`rolebindings`	1 rule	elastic
`kubernetes.audit.objectRef.resource`	in	`serviceaccounts`	1 rule	elastic
`user`	is_not_null		1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Elastic #

Kubernetes Multi-Resource Discovery source medium: Adversaries who land credentials in a cluster—or abuse an over-privileged token—often map the environment before exfiltration or privilege escalation. A practical first pass is to learn where workloads run, how the cluster is partitioned, and what RBAC exists at namespace vs cluster scope. Rapid get/list traffic across distinct API resource kinds that answer those questions (namespaces, workloads, roles, cluster-wide roles) is a common setup and orientation pattern for both interactive attackers and automated recon scripts. It is less typical for steady-state controllers, which usually touch a narrow set of resources repeatedly. This rule highlights that cross-resource burst from a single client fingerprint within a one-minute bucket so analysts can separate routine automation from potential discovery and permission reconnaissance ahead of follow-on actions.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)