From af3571ea6eedcd6513f2b3369e3665230c283cb6 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 15 Oct 2021 14:07:39 -0500 Subject: [PATCH] [New Rule] Azure Kubernetes Pods Deleted (#1309) * Create impact_kubernetes_pod_deleted.toml * Update impact_kubernetes_pod_deleted.toml * Update * Update impact_kubernetes_pod_deleted.toml * quote value in query Co-authored-by: Justin Ibarra Co-authored-by: Jonhnathan (cherry picked from commit 761df5fe84f00f47b05b5de6f2e716f95e142220) --- .../azure/impact_kubernetes_pod_deleted.toml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 rules/integrations/azure/impact_kubernetes_pod_deleted.toml diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml new file mode 100644 index 000000000..bf4a4cce8 --- /dev/null +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2021/06/24" +maturity = "production" +updated_date = "2021/06/24" +integration = "azure" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment. +""" +false_positives = [ + """ + Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname + should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Azure Kubernetes Pods Deleted" +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", +] +risk_score = 47 +rule_id = "83a1931d-8136-46fc-b7b9-2db4f639e014" +severity = "medium" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Asset Visibility"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and +event.outcome:(Success or success) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/"