Azure Kubernetes Events Deleted

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Sigma rule (View on GitHub)

 1title: Azure Kubernetes Events Deleted
 2id: 225d8b09-e714-479c-a0e4-55e6f29adf35
 3status: test
 4description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 7    - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
 8author: Austin Songer @austinsonger
 9date: 2021-07-24
10modified: 2022-08-23
11tags:
12    - attack.defense-evasion
13    - attack.t1562
14    - attack.t1562.001
15logsource:
16    product: azure
17    service: activitylogs
18detection:
19    selection:
20        operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
21    condition: selection
22falsepositives:
23    - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
24level: medium

References

Related rules

to-top