Deployment Deleted From Kubernetes Cluster

Aug 12, 2024 · attack.t1498 ·

Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.

Sigma rule (View on GitHub)

 1title: Deployment Deleted From Kubernetes Cluster
 2id: 40967487-139b-4811-81d9-c9767a92aa5a
 3status: experimental
 4description: |
 5    Detects the removal of a deployment from a Kubernetes cluster.
 6    This could indicate disruptive activity aiming to impact business operations.    
 7references:
 8    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
 9author: Leo Tsaousis (@laripping)
10date: 2024-03-26
11tags:
12    - attack.t1498
13logsource:
14    category: application
15    product: kubernetes
16    service: audit
17detection:
18    selection:
19        verb: 'delete'
20        objectRef.resource: 'deployments'
21    condition: selection
22falsepositives:
23    - Unknown
24level: low

References

Data destruction - Threat Matrix for Kubernetes

Data destruction Info ID: MS-TA9038 Tactic: Impact MITRE technique: T1485 Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, sto...

Read More

Deployment Deleted From Kubernetes Cluster

Sigma rule (View on GitHub)

References

Data destruction - Threat Matrix for Kubernetes

Related rules