Detection rules › Elastic
Kubernetes Secrets List Across Cluster or Sensitive Namespaces
Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote clients.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1552.007 Unsecured Credentials: Container API |
| Discovery | T1613 Container and Resource Discovery |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Kubernetes-secrets | any-secrets | any verb on secrets (synthetic aggregation) |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
Rule body elastic
[metadata]
creation_date = "2026/04/22"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/05/11"
[rule]
author = ["Elastic"]
description = """
Detects list operations on Kubernetes Secrets from a non-loopback client when the request URI targets cluster-wide
secrets or list operations under kube-system or default. Useful for spotting broad secret enumeration from remote
clients.
"""
from = "now-6m"
index = ["logs-kubernetes.audit_logs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Secrets List Across Cluster or Sensitive Namespaces"
note = """## Triage and analysis
### Investigating Kubernetes Secrets List Across Cluster or Sensitive Namespaces
Audit events for `list` on the `secrets` resource against `/api/v1/secrets`, paginated cluster lists, or namespace-scoped
lists under `kube-system` or `default`, from a source IP that is not localhost.
### Investigation steps
- Confirm the actor (`user.name`, groups) and whether the client is expected (CI, admin bastion, controller).
- Review `kubernetes.audit.requestURI`, `user_agent.original`, and follow-on API activity from the same source.
- Assess exposure: cluster-wide secret listing can surface many credentials.
### False positives
- Legitimate controllers or operators listing secrets in `kube-system` / `default` from cluster nodes may match; tune by
source IP, user agent, or service account as needed.
"""
references = [
"https://attack.mitre.org/techniques/T1552/007/",
]
risk_score = 73
rule_id = "7e3f9a2b-1c4d-5e6f-8a0b-9c8d7e6f5a4b"
severity = "high"
tags = [
"Data Source: Kubernetes",
"Domain: Kubernetes",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Tactic: Discovery",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:"kubernetes.audit_logs" and event.action:list and
kubernetes.audit.objectRef.resource:secrets and
kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and
source.ip:(* and not ("::1" or "127.0.0.1")) and
not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) and
not kubernetes.audit.user.groups:"system:serviceaccounts:ibm-csi"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1613"
name = "Container and Resource Discovery"
reference = "https://attack.mitre.org/techniques/T1613/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
Stages and Predicates
Stage 1: query
event.dataset:"kubernetes.audit_logs" and event.action:list and
kubernetes.audit.objectRef.resource:secrets and
kubernetes.audit.requestURI :(/api/v1/secrets or /api/v1/secrets?limit* or /api/v1/namespaces/kube-system/secrets or /api/v1/namespaces/kube-system/secrets?limit* or /api/v1/namespaces/default/secrets or /api/v1/namespaces/default/secrets?limit*) and
source.ip:(* and not ("::1" or "127.0.0.1")) and
not user.name: (system\:kube-controller-manager or eks\:cloud-controller-manager or eks\:kms-storage-migrator) and
not kubernetes.audit.user.groups:"system:serviceaccounts:ibm-csi"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
kubernetes.audit.user.groups | eq | system:serviceaccounts:ibm-csi |
source.ip | in | 127.0.0.1, ::1 |
user.name | in | eks:cloud-controller-manager, eks:kms-storage-migrator, system:kube-controller-manager |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.action | eq |
|
event.dataset | eq |
|
kubernetes.audit.objectRef.resource | eq |
|
kubernetes.audit.requestURI | eq |
|
kubernetes.audit.requestURI | wildcard |
|
source.ip | is_not_null |