LoFP / kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Kubernetes Cluster Created or Deleted

• source: sigma
• technicques:

Description

Detects when a Azure Kubernetes Cluster is created or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE