Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
Sigma rule (View on GitHub)
1title: Deployment Deleted From Kubernetes Cluster
2id: 40967487-139b-4811-81d9-c9767a92aa5a
3status: test
4description: |
5 Detects the removal of a deployment from a Kubernetes cluster.
6 This could indicate disruptive activity aiming to impact business operations.
7references:
8 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
9author: Leo Tsaousis (@laripping)
10date: 2024-03-26
11tags:
12 - attack.t1498
13 - attack.impact
14logsource:
15 category: application
16 product: kubernetes
17 service: audit
18detection:
19 selection:
20 verb: 'delete'
21 objectRef.resource: 'deployments'
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
-
Data destruction Info ID: MS-TA9038 Tactic: Impact MITRE technique: T1485 Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, sto...
Read More
Related rules
- OpenCanary - NTP Monlist Request
- Potential BlackByte Ransomware Activity
- AWS SAML Provider Deletion Activity
- Antivirus Ransomware Detection
- Azure Container Registry Created or Deleted