From fb88fe58bc9ea3ec4cb124889bda955ffabeb49d Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Sat, 7 Aug 2021 22:18:28 -0500
Subject: [PATCH] Create azure_kubernetes_cluster_created_or_deleted.yml

---
 ..._kubernetes_cluster_created_or_deleted.yml | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml

diff --git a/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml
new file mode 100644
index 000000000..4264a4285
--- /dev/null
+++ b/rules/cloud/azure_kubernetes_cluster_created_or_deleted.yml
@@ -0,0 +1,24 @@
+title: Azure Kubernetes Cluster Created or Deleted
+id: 9541f321-7cba-4b43-80fc-fbd1fb922808
+description: Detects when a Azure Kubernetes Cluster is created or deleted.
+author: Austin Songer
+status: experimental
+date: 2021/08/07
+references:
+    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
+logsource:
+  service: azure.activitylogs
+detection:
+    selection:
+        properties.message: 
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
+            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
+    condition: selection
+level: low
+tags:
+    - attack.impact
+falsepositives:
+ - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+
+
+