LoFP / pods deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

Azure Kubernetes Pods Deleted

• source: sigma
• technicques:

Description

Identifies the deletion of Azure Kubernetes Pods.

Detection logic

condition: selection
selection:
  operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE