Kubernetes Service Account Token Created via TokenRequest API

Status: production
Severity: medium
Time window: 6m
Author: Elastic
Source: github.com/elastic/detection-rules

Detects the creation of a Kubernetes service account token through the TokenRequest API by a non-system identity. The TokenRequest API allows users and workloads to programmatically generate short-lived tokens for any service account they have create permissions on, without accessing the filesystem or the mounted projected token. Attackers who have gained initial access to a cluster can abuse this API to mint tokens for more privileged service accounts, pivot to cloud provider resources via IRSA/workload identity, or generate long-lived tokens that persist beyond pod termination. Unlike mounted service account tokens which are detectable through file access monitoring, tokens created via the TokenRequest API leave no filesystem footprint, they are only visible in Kubernetes audit logs as a create verb on the serviceaccounts/token subresource. This rule excludes legitimate system components such as the kubelet, kube-controller-manager, and cloud provider managed identities (EKS, AKS, GKE) that routinely create tokens for pod lifecycle management.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1552.007` Unsecured Credentials: Container API

Event coverage

Provider	Event	Title
Kubernetes-serviceaccounts	create-serviceaccounts-token	create serviceaccounts/token

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

New Kubernetes Service Account Created (Sigma)

Rule body elastic

[metadata]
creation_date = "2026/05/05"
integration = ["kubernetes"]
maturity = "production"
updated_date = "2026/05/05"

[rule]
author = ["Elastic"]
description = """
Detects the creation of a Kubernetes service account token through the TokenRequest API by a non-system identity. The
TokenRequest API allows users and workloads to programmatically generate short-lived tokens for any service account
they have create permissions on, without accessing the filesystem or the mounted projected token. Attackers who have
gained initial access to a cluster can abuse this API to mint tokens for more privileged service accounts, pivot to
cloud provider resources via IRSA/workload identity, or generate long-lived tokens that persist beyond pod
termination. Unlike mounted service account tokens which are detectable through file access monitoring, tokens created
via the TokenRequest API leave no filesystem footprint, they are only visible in Kubernetes audit logs as a create
verb on the serviceaccounts/token subresource. This rule excludes legitimate system components such as the kubelet,
kube-controller-manager, and cloud provider managed identities (EKS, AKS, GKE) that routinely create tokens for pod
lifecycle management.
"""
false_positives = [
    """
    New automation, admission webhooks, or platform agents that legitimately call the TokenRequest API under a
    non-standard user string may require narrow exclusions by user.name or source IP.
    """,
]
from = "now-6m"
index = ["logs-kubernetes.audit_logs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Kubernetes Service Account Token Created via TokenRequest API"
note = """## Triage and analysis

### Investigating Kubernetes Service Account Token Created via TokenRequest API

This alert indicates a successful `create` against the `serviceaccounts/token` subresource (TokenRequest API), which
issues a new service account token without a filesystem read. In EKS and other managed clusters, this can be abused to
mint tokens for more privileged service accounts (including IRSA-linked ones) and pivot to cloud APIs.

#### What to review first

- Actor and origin:
  - `user.name` / `kubernetes.audit.user.username`
  - `source.ip` / `kubernetes.audit.sourceIPs`
  - `user_agent.original` / `kubernetes.audit.userAgent`
  - For cloud identity, review `kubernetes.audit.user.extra.*` (e.g., `arn`, `principalId`).
- Targeted service account:
  - `kubernetes.audit.objectRef.namespace` and `kubernetes.audit.objectRef.name`
  - `kubernetes.audit.requestURI` (should resemble `/api/v1/namespaces/<ns>/serviceaccounts/<sa>/token`)
- Token issuance hints:
  - `kubernetes.audit.annotations.authentication_kubernetes_io/issued-credential-id` (token JTI/issued credential id)

#### Scoping

- Identify which Role/ClusterRoleBindings grant the actor `create` on `serviceaccounts/token` in the affected namespace.
- Pivot on the same `user.name` and `source.ip` for follow-on secret reads, pod exec, RBAC changes, or cloud API calls.

### Response and remediation

- If unauthorized, remove/revert the RBAC permission that allows TokenRequest (`serviceaccounts/token`) and rotate the
  affected service account credentials where applicable.
- For IRSA/workload identity cases, rotate/revoke the cloud role session pathways and review cloud audit logs for API
  activity from the time window of the token mint.
"""
references = [
    "https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-v1/",
    "https://attack.mitre.org/techniques/T1552/007/",
]
risk_score = 47
rule_id = "4df91789-7859-4bc4-9c5a-6b56bfa81a8b"
severity = "medium"
tags = [
    "Data Source: Kubernetes",
    "Domain: Kubernetes",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.verb:"create" and
kubernetes.audit.objectRef.resource:"serviceaccounts" and
kubernetes.audit.objectRef.subresource:"token" and
user.name:(* and not 
 (system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:node\:* or
  system\:serviceaccount\:kube-system\:* or
  eks\:* or
  aksService or
  aks-service or
  masterclient or
  nodeclient or
  system\:serviceaccount\:gke-managed-system\:* or
  system\:serviceaccount\:gke-connect\:* or
  system\:serviceaccount\:anthos-identity-service\:* or
  system\:gke-controller-manager or
  system\:serviceaccount\:tigera-operator\:* or
  system\:serviceaccount\:calico-system\:*))
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

[[rule.threat.technique.subtechnique]]
id = "T1552.007"
name = "Container API"
reference = "https://attack.mitre.org/techniques/T1552/007/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

Stages and Predicates

Stage 1: `query`

data_stream.dataset:"kubernetes.audit_logs" and 
kubernetes.audit.verb:"create" and
kubernetes.audit.objectRef.resource:"serviceaccounts" and
kubernetes.audit.objectRef.subresource:"token" and
user.name:(* and not 
 (system\:kube-controller-manager or
  system\:kube-scheduler or
  system\:node\:* or
  system\:serviceaccount\:kube-system\:* or
  eks\:* or
  aksService or
  aks-service or
  masterclient or
  nodeclient or
  system\:serviceaccount\:gke-managed-system\:* or
  system\:serviceaccount\:gke-connect\:* or
  system\:serviceaccount\:anthos-identity-service\:* or
  system\:gke-controller-manager or
  system\:serviceaccount\:tigera-operator\:* or
  system\:serviceaccount\:calico-system\:*))

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`user.name`	eq	`aks-service`
`user.name`	eq	`aksService`
`user.name`	eq	`masterclient`
`user.name`	eq	`nodeclient`
`user.name`	eq	`system:gke-controller-manager`
`user.name`	eq	`system:kube-controller-manager`
`user.name`	eq	`system:kube-scheduler`
`user.name`	starts_with	`eks\:`
`user.name`	starts_with	`system\:node\:`
`user.name`	starts_with	`system\:serviceaccount\:anthos-identity-service\:`
`user.name`	starts_with	`system\:serviceaccount\:calico-system\:`
`user.name`	starts_with	`system\:serviceaccount\:gke-connect\:`
`user.name`	starts_with	`system\:serviceaccount\:gke-managed-system\:`
`user.name`	starts_with	`system\:serviceaccount\:kube-system\:`
`user.name`	starts_with	`system\:serviceaccount\:tigera-operator\:`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`data_stream.dataset`	eq	`kubernetes.audit_logs`
`kubernetes.audit.objectRef.resource`	eq	`serviceaccounts`
`kubernetes.audit.objectRef.subresource`	eq	`token`
`kubernetes.audit.verb`	eq	`create`
`user.name`	is_not_null	(no value, null check)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Kubernetes Service Account Token Created via TokenRequest API

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `query`

Exclusions

Indicators

Keyboard shortcuts

Search operators

Kubernetes Service Account Token Created via TokenRequest API

MITRE ATT&CK coverage

Event coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: query

Exclusions

Indicators

Stage 1: `query`