Deployment Deleted From Kubernetes Cluster
Product information
Updated
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
MITRE ATT&CK® techniques
Summary
- Source control
- SigmaHQ/sigma
- Status
- Synced
- File path
- rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml
- Due date
Activity
created rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml
Raw rule
title: Deployment Deleted From Kubernetes Cluster
id: 40967487-139b-4811-81d9-c9767a92aa5a
status: test
description: |
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1498
- attack.impact
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: low