eks cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml>sigma
technicques: t1485

Techniques

Identifies when an EKS cluster is created or deleted.

condition: selection
selection:
  eventName:
  - CreateCluster
  - DeleteCluster
  eventSource: eks.amazonaws.com