Secrets Kubernetes-secrets
8 operations, identified by Operation in the audit log.
| Operation | Description |
|---|---|
| get-secrets | Secret accessed (credential theft; service account tokens, TLS certs, API keys). |
| list-secrets | Secrets enumerated across a namespace or cluster. |
| watch-secrets | |
| create-secrets | |
| update-secrets | |
| patch-secrets | |
| delete-secrets | |
| any-secrets | Synthetic aggregation for rules that filter the secrets resource with no specific verb. Not a distinct audit record; hosts rule listings that key on objectRef.resource alone. |
get-secrets: get secrets
#Description
Secret accessed (credential theft; service account tokens, TLS certs, API keys).
Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
kubernetes.audit.verb | in | get | 2 rules | elastic |
kubernetes.audit.verb | in | list | 2 rules | elastic |
kubernetes.audit.verb | in | delete | 1 rule | elastic |
Esql.timestamp_first_seen | ge | NOW() - 9 | 1 rule | elastic |
aws::userAgent | is_not_null | | 1 rule | elastic, kusto |
kubernetes.audit.objectRef.resource | eq | secrets | 1 rule | elastic |
kubernetes.audit.objectRef.resource | in | configmaps | 1 rule | elastic |
kubernetes.audit.objectRef.resource | in | secrets | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →Elastic #
system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches list-secrets: list secrets, create-secrets: create secrets, update-secrets: update secrets, patch-secrets: patch secrets, delete-secrets: delete secrets
list-secrets: list secrets
#Description
Secrets enumerated across a namespace or cluster.
Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
kubernetes.audit.verb | in | get | 2 rules | elastic |
kubernetes.audit.verb | in | list | 2 rules | elastic |
kubernetes.audit.verb | in | delete | 1 rule | elastic |
aws::userAgent | is_not_null | | 1 rule | elastic, kusto |
kubernetes.audit.objectRef.resource | eq | secrets | 1 rule | elastic |
kubernetes.audit.objectRef.resource | in | configmaps | 1 rule | elastic |
kubernetes.audit.objectRef.resource | in | secrets | 1 rule | elastic |
objectRef.resource | eq | secrets | 1 rule | sigma, splunk |
verb | eq | list | 1 rule | sigma, splunk |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-secrets: get secrets, create-secrets: create secrets, update-secrets: update secrets, patch-secrets: patch secrets, delete-secrets: delete secrets
watch-secrets: watch secrets
#Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
create-secrets: create secrets
#Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
objectRef.resource | eq | secrets | 1 rule | sigma, splunk |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-secrets: get secrets, list-secrets: list secrets, update-secrets: update secrets, patch-secrets: patch secrets, delete-secrets: delete secrets
update-secrets: update secrets
#Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
objectRef.resource | eq | secrets | 1 rule | sigma, splunk |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-secrets: get secrets, list-secrets: list secrets, create-secrets: create secrets, patch-secrets: patch secrets, delete-secrets: delete secrets
patch-secrets: patch secrets
#Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
objectRef.resource | eq | secrets | 1 rule | sigma, splunk |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-secrets: get secrets, list-secrets: list secrets, create-secrets: create secrets, update-secrets: update secrets, delete-secrets: delete secrets
delete-secrets: delete secrets
#Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
objectRef.resource | eq | secrets | 1 rule | sigma, splunk |
Detection Rules #
View all rules referencing this event →Sigma #
Elastic #
system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa with the actual caller identity in the impersonatedUser field. This pattern indicates that someone is accessing the cluster through the Azure ARM API rather than directly via kubectl against the API server. While legitimate for Arc-managed workflows, adversaries with stolen service principal credentials can abuse Arc Cluster Connect to read, exfiltrate, or modify secrets and configmaps while appearing as the Arc proxy service account in K8s audit logs.↳ also matches get-secrets: get secrets, list-secrets: list secrets, create-secrets: create secrets, update-secrets: update secrets, patch-secrets: patch secrets
any-secrets: any verb on secrets (synthetic aggregation)
#Description
Synthetic aggregation for rules that filter the secrets resource with no specific verb. Not a distinct audit record; hosts rule listings that key on objectRef.resource alone.
Fields #
| Name | Description |
|---|---|
verb | The request verb (get, list, watch, create, update, replace, patch, delete, deletecollection, ...). |
objectRef.resource | The targeted resource type (plural API name, e.g. pods, secrets). |
objectRef.subresource | The targeted subresource, when present (e.g. exec, log, token). |
objectRef.namespace | Namespace of the targeted object (empty for cluster-scoped resources). |
objectRef.name | Name of the targeted object. |
objectRef.apiGroup | API group of the targeted resource (empty string for core group). |
user.username | Authenticated identity that issued the request (user or service account). |
user.groups | Groups of the requesting identity. |
sourceIPs | Source IP addresses of the request. |
responseStatus.code | HTTP status code of the API response (200, 201, 403, 404, ...). |
stage | Audit stage: RequestReceived, ResponseStarted, ResponseComplete, Panic. |
requestReceivedTimestamp | Time the apiserver received the request. |
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
kubernetes.audit.objectRef.resource | eq | secrets | 4 rules | elastic |
src_ip | is_not_null | | 4 rules | elastic, kusto, panther |
EventType | in | get | 2 rules | elastic |
EventType | in | list | 2 rules | elastic |
aws::userAgent | contains | distrib#kali | 1 rule | elastic |
aws::userAgent | contains | kali-arm64 | 1 rule | elastic |
user | is_not_null | | 1 rule | elastic, kusto, splunk |
user | starts_with | system\:serviceaccount\: | 1 rule | elastic |
Detection Rules #
View all rules referencing this event →Elastic #
get/list) with a user agent matching a curated set of non-standard or attacker-leaning clients, for example minimal HTTP tooling, common scripting stacks, default library fingerprints, or distribution-tagged strings associated with offensive-security Linux images. Legitimate in-cluster automation usually presents stable, purpose-specific user agents (for example controller or client-go variants used by known components).system:node:*) and workloads (system:serviceaccount:*) are meant to operate with tight, predictable API usage. Direct get or list on the Secrets API from those principals is often a sign of credential access. Attackers who stole a pod service-account token or node credentials sweep Secret objects for tokens, registry credentials, TLS keys, or application configuration. Even denied attempts still reveal intent to reach sensitive material. Legitimate controllers do read secrets they mount or manage, so this signal is most valuable when paired with triage (namespace scope, user agent, RBAC, and whether the identity should touch those secret names at all).Show 1 more (4 total)