AWS EKS Cluster Created or Deleted
Identifies when an EKS cluster is created or deleted.
Sigma rule (View on GitHub)
1title: AWS EKS Cluster Created or Deleted
2id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
3status: test
4description: Identifies when an EKS cluster is created or deleted.
5references:
6 - https://any-api.com/amazonaws_com/eks/docs/API_Description
7author: Austin Songer
8date: 2021-08-16
9modified: 2022-10-09
10tags:
11 - attack.impact
12 - attack.t1485
13logsource:
14 product: aws
15 service: cloudtrail
16detection:
17 selection:
18 eventSource: eks.amazonaws.com
19 eventName:
20 - CreateCluster
21 - DeleteCluster
22 condition: selection
23falsepositives:
24 - EKS Cluster being created or deleted may be performed by a system administrator.
25 - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
26 - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
27level: low
References
Related rules
- AWS EFS Fileshare Mount Modified or Deleted
- Azure Device or Configuration Modified or Deleted
- DD File Overwrite
- Deleted Data Overwritten Via Cipher.EXE
- Fsutil Suspicious Invocation