Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
Sigma rule (View on GitHub)
1title: Kubernetes Events Deleted
2id: 3132570d-cab2-4561-9ea6-1743644b2290
3related:
4 - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
5 type: derived
6status: test
7description: |
8 Detects when events are deleted in Kubernetes.
9 An adversary may delete Kubernetes events in an attempt to evade detection.
10references:
11 - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
12author: Leo Tsaousis (@laripping)
13date: 2024-03-26
14tags:
15 - attack.defense-evasion
16 - attack.t1070
17logsource:
18 category: application
19 product: kubernetes
20 service: audit
21detection:
22 selection:
23 verb: 'delete'
24 objectRef.resource: 'events'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
Delete Kubernetes events A Kubernetes event is a Kubernetes object that logs state changes and failures of the resources in the cluster. Example events are a container creation, an image pull, or a...
Read More
Related rules
- Clearing Windows Console History
- DLL Load By System Process From Suspicious Locations
- Disable of ETW Trace - Powershell
- ETW Trace Evasion Activity
- EventLog EVTX File Deleted