LoFP LoFP / network policy being modified and deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Kubernetes Network Policy Change

Description

Identifies when a Azure Kubernetes network policy is modified or deleted.

Detection logic

condition: selection
selection:
  operationName:
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
  - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE