LoFP / secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

condition: selection
selection:
  operationName:
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
  - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION

condition: selection
selection:
  gcp.audit.method_name:
  - io.k8s.core.v*.secrets.create
  - io.k8s.core.v*.secrets.update
  - io.k8s.core.v*.secrets.patch
  - io.k8s.core.v*.secrets.delete