Create azure_kubernetes_cluster_created_or_deleted.yml
This commit is contained in:
Austin Songer
@@ -0,0 +1,24 @@
|
||||
title: Azure Kubernetes Cluster Created or Deleted
|
||||
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
|
||||
description: Detects when a Azure Kubernetes Cluster is created or deleted.
|
||||
author: Austin Songer
|
||||
status: experimental
|
||||
date: 2021/08/07
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
|
||||
logsource:
|
||||
service: azure.activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
|
||||
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
|
||||
condition: selection
|
||||
level: low
|
||||
tags:
|
||||
- attack.impact
|
||||
falsepositives:
|
||||
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user