Rules Contributing to Suspicious Azure Kubernetes Activity: Defense Evasion Alert
The following rules are used to identify suspicious Azure Kubernetes activity usually in the defense evasion stage. Any one or more of these will trigger the Suspicious Azure Kubernetes Activity: Defense Evasion Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Azure Kubernetes Events Deleted |
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. More details
Rule IDQuery{'selection': {'operationName': 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,225d8b09-e714-479c-a0e4-55e6f29adf35 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresDEFENSE_EVASION, T1562, T1562.001 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|