Azure Kubernetes Events Deleted
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Sigma rule (View on GitHub)
1title: Azure Kubernetes Events Deleted
2id: 225d8b09-e714-479c-a0e4-55e6f29adf35
3status: test
4description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
5references:
6 - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
7 - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
8author: Austin Songer @austinsonger
9date: 2021-07-24
10modified: 2022-08-23
11tags:
12 - attack.defense-impairment
13 - attack.t1685
14logsource:
15 product: azure
16 service: activitylogs
17detection:
18 selection:
19 operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
20 condition: selection
21falsepositives:
22 - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
23level: medium
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change