Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
Sigma rule (View on GitHub)
1title: Kubernetes Events Deleted
2id: 3132570d-cab2-4561-9ea6-1743644b2290
3related:
4 - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
5 type: derived
6status: experimental
7description: |
8 Detects when events are deleted in Kubernetes.
9 An adversary may delete Kubernetes events in an attempt to evade detection.
10references:
11 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
12author: Leo Tsaousis (@laripping)
13date: 2024-03-26
14tags:
15 - attack.t1070
16logsource:
17 category: application
18 product: kubernetes
19 service: audit
20detection:
21 selection:
22 verb: 'delete'
23 objectRef.resource: 'events'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Delete Kubernetes events A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a...
Read More
Related rules
- Clearing Windows Console History
- DLL Load By System Process From Suspicious Locations
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity
- EventLog EVTX File Deleted