Azure Kubernetes Events Deleted
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Sigma rule (View on GitHub)
1title: Azure Kubernetes Events Deleted
2id: 225d8b09-e714-479c-a0e4-55e6f29adf35
3status: test
4description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
5references:
6 - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
7 - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
8author: Austin Songer @austinsonger
9date: 2021/07/24
10modified: 2022/08/23
11tags:
12 - attack.defense_evasion
13 - attack.t1562
14 - attack.t1562.001
15logsource:
16 product: azure
17 service: activitylogs
18detection:
19 selection:
20 operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
21 condition: selection
22falsepositives:
23 - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
24level: medium
References
Related rules
- Powershell MS Defender Tampering - ScriptBlockLogging
- Tampering of Windows Defender with Reg
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components
- AMSI Bypass Pattern Assembly GetType