kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml>sigma
technicques: t1485 t1489 t1496

Techniques

Detects when a Azure Kubernetes Cluster is created or deleted.

condition: selection
selection:
  operationName:
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE