Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Azure Kubernetes Events Deleted

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Austin SongerCreated Sat Jul 24Updated Tue Aug 23225d8b09-e714-479c-a0e4-55e6f29adf35cloud
Log Source
Azureactivitylogs
ProductAzure← raw: azure
Serviceactivitylogs← raw: activitylogs
Detection Logic
Detection Logic1 selector
detection:
    selection:
        operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
    condition: selection
False Positives

Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
225d8b09-e714-479c-a0e4-55e6f29adf35
Status
test
Level
medium
Type
Detection
Created
Sat Jul 24
Modified
Tue Aug 23
Author
Austin Songer
Path
rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml
Raw Tags
attack.defense-evasionattack.t1562attack.t1562.001
View on GitHub