Azure Kubernetes Pods Deleted

 1title: Azure Kubernetes Pods Deleted
 2id: b02f9591-12c3-4965-986a-88028629b2e1
 3status: test
 4description: Identifies the deletion of Azure Kubernetes Pods.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 7    - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
 8author: Austin Songer @austinsonger
 9date: 2021-07-24
10modified: 2022-08-23
11tags:
12    - attack.impact
13logsource:
14    product: azure
15    service: activitylogs
16detection:
17    selection:
18        operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
19    condition: selection
20falsepositives:
21    - Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
22    - Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
23level: medium

References

• Azure permissions - Azure RBAC

  

  Lists the permissions for Azure resource providers.

  
  Read More

• detection-rules/rules/integrations/azure/impact_kubernetes_pod_deleted.toml at 065bf48a9987cd8bd826c098a30ce36e6868ee46 · elastic/detection-rules

  

  Contribute to elastic/detection-rules development by creating an account on GitHub.

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AWS EC2 Disable EBS Encryption
• AWS EFS Fileshare Modified or Deleted
• AWS EFS Fileshare Mount Modified or Deleted