Skip to content
Threat Feed
medium advisory

Azure Kubernetes Services (AKS) Kubernetes Events Deleted

Adversaries may delete Kubernetes events in Azure Kubernetes Services (AKS) to evade detection by removing logs of state changes, container creations, image pulls, and pod scheduling.

This detection identifies the deletion of Kubernetes events within Azure Kubernetes Service (AKS). Kubernetes events log state changes, such as container creations, image pulls, and pod scheduling. Attackers may target these logs to remove evidence of their actions. This rule specifically looks for successful deletion operations of Kubernetes events in Azure activity logs, indicating a potential attempt to evade detection. This tactic is particularly relevant for attackers aiming to maintain a low profile and hinder incident response efforts. The rule focuses on the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation within Azure activity logs. It's crucial for defenders to monitor these events as they directly impact the visibility of malicious activity within AKS environments. The rule has been updated as of 2026-04-10.

Attack Chain

  1. The attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerable application.
  2. The attacker enumerates the Kubernetes resources within the AKS cluster.
  3. The attacker identifies the Kubernetes events that they want to delete to cover their tracks.
  4. The attacker uses an account with sufficient privileges to execute the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation.
  5. The attacker successfully deletes the specified Kubernetes events.
  6. Azure activity logs record the successful deletion of the events with event outcome "Success" or "success".
  7. The attacker continues their malicious activities within the AKS cluster, now with reduced visibility.
  8. The attacker achieves their objective, such as data exfiltration or service disruption, while hindering forensic analysis due to the deleted event logs.

Impact

Successful deletion of Kubernetes events impairs the ability to detect and respond to malicious activity within AKS. This can lead to delayed incident response, increased dwell time for attackers, and greater potential for damage. The rule helps defenders identify and investigate potential defense evasion attempts. While specific victim counts or sector targeting aren't available, this tactic is applicable across various industries utilizing AKS for containerized application deployment. Failure to detect and address this activity can allow attackers to operate with impunity, causing significant disruption and potential data loss.

Recommendation

  • Deploy the Sigma rule "Azure Kubernetes Services (AKS) Kubernetes Events Deleted" to your SIEM and tune for your environment (rule).
  • Review Azure activity logs for unexpected or unauthorized deletions of Kubernetes events, focusing on the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation (logs-azure.activitylogs-*).
  • Implement stricter access controls and audit logging for Kubernetes event deletion operations to prevent unauthorized deletions in the future (reference: https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes).
  • Investigate any alerts generated by the Sigma rule to determine the scope and impact of the event deletion (rule).
  • Enable the Azure Fleet integration, Filebeat module, or similarly structured data to ensure compatibility with this rule (Setup section).

Detection coverage 2

Azure Kubernetes Services (AKS) Kubernetes Events Deleted

medium

Detects when events are deleted in Azure Kubernetes, potentially indicating defense evasion.

sigma tactics: defense_evasion techniques: T1562.008 sources: cloudtrail, azure, activitylogs

Azure Kubernetes Events Deletion Attempt

low

Detects any attempts to delete events in Azure Kubernetes, regardless of success, potentially indicating defense evasion.

sigma tactics: defense_evasion techniques: T1562.008 sources: cloudtrail, azure, activitylogs

Detection queries are available on the platform. Get full rules →