From 7c6b13936d6909b72f2d06a8f52e15d87951b9fe Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:20:11 -0500 Subject: [PATCH 1/6] Create azure_kubernetes_events_deleted.yml --- .../cloud/azure_kubernetes_events_deleted.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure_kubernetes_events_deleted.yml diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml new file mode 100644 index 000000000..aa209c993 --- /dev/null +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -0,0 +1,24 @@ +title: Azure Kubernetes Events Deleted +id: 225d8b09-e714-479c-a0e4-55e6f29adf35 +description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. +author: Austin Songer +status: experimental +date: 2021/07/24 +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +logsource: + service: azure.activitylogs +detection: + selection_operationname: + - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + status: success + condition: all of them +level: medium +tags: + - attack.defense_evasion + - attack.t1562 + - attack.t1562.001 +falsepositives: +- Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + From ef64e2a02f14ed43e9544b5a96301d01bbf99898 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:28:09 -0500 Subject: [PATCH 2/6] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index aa209c993..586761a02 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -6,7 +6,7 @@ status: experimental date: 2021/07/24 references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml logsource: service: azure.activitylogs detection: From 0445be8d01c596caa210bee0f9fcabae07ce4fe0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:28:21 -0500 Subject: [PATCH 3/6] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 586761a02..68a160c40 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -18,7 +18,7 @@ level: medium tags: - attack.defense_evasion - attack.t1562 - - attack.t1562.001 + - attack.t1562.001 falsepositives: - Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From e123635c42410535760a47836d478f749b7c95eb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:32:27 -0500 Subject: [PATCH 4/6] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 68a160c40..4693d487b 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -12,7 +12,6 @@ logsource: detection: selection_operationname: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE - status: success condition: all of them level: medium tags: From 9a9f0cf5945fb1ce0aa5fc4e5d45aab0fc7258ed Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 24 Jul 2021 10:44:06 -0500 Subject: [PATCH 5/6] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 4693d487b..775c650a0 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -10,14 +10,14 @@ references: logsource: service: azure.activitylogs detection: - selection_operationname: + selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE - condition: all of them + condition: selection_operation_name level: medium tags: - attack.defense_evasion - attack.t1562 - attack.t1562.001 falsepositives: -- Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From ade5e80f9d59fa1d354e801664ac285f1f0eb89f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 08:07:00 +0200 Subject: [PATCH 6/6] Update azure_kubernetes_events_deleted.yml --- rules/cloud/azure_kubernetes_events_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure_kubernetes_events_deleted.yml b/rules/cloud/azure_kubernetes_events_deleted.yml index 775c650a0..b84ac76a3 100644 --- a/rules/cloud/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure_kubernetes_events_deleted.yml @@ -11,7 +11,7 @@ logsource: service: azure.activitylogs detection: selection_operation_name: - - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE condition: selection_operation_name level: medium tags: