Kubectl Workload and Cluster Discovery

This rule detects the execution of kubectl commands that are commonly used for workload and cluster discovery in Kubernetes environments. It looks for process events where kubectl is executed with arguments that query cluster information, such as namespaces, nodes, pods, deployments, and other resources. In environments where kubectl is not expected to be used, this could indicate potential reconnaissance activity by an adversary.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Version: 1

Rule authors:

Rule license: Elastic License v2

process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "executed", "process_started") and
process.name == "kubectl" and (
  (process.args in ("cluster-info", "api-resources", "api-versions", "version")) or
  (process.args in ("get", "describe") and process.args in (
    "namespaces", "nodes", "pods", "pod", "deployments", "deployment",
    "replicasets", "statefulsets", "daemonsets", "services", "service",
    "ingress", "ingresses", "endpoints", "configmaps", "events", "svc",
    "roles", "rolebindings", "clusterroles", "clusterrolebindings"
    )
  )
)