Detectionmediumtest

Kubernetes Events Deleted

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Leo TsaousisCreated Tue Mar 263132570d-cab2-4561-9ea6-1743644b2290application

Log Source

Kubernetesapplicationaudit

ProductKubernetes← raw: kubernetes

Categoryapplication← raw: application

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        verb: 'delete'
        objectRef.resource: 'events'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Techniques

Related Rules

Azure Kubernetes Events Deleted

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

3132570d-cab2-4561-9ea6-1743644b2290

Status

test

Level

medium

Type

Detection

Created

Tue Mar 26

Author

Path

rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml

Raw Tags

attack.defense-evasionattack.t1070