Rules: AWS EKS Secrets Deleted
Kubernetes secrets may be deleted for legitimate purposes, ensure that this secrets created is from an IAM account that is expected to manage Kubernetes workloads on EKS.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Credential Access |
| Apply Risk to Entities | srcDevice_ip |
| Signal Name | AWS EKS Secrets Deleted |
| Summary Expression | A Kubernetes secret was deleted within an AWS EKS cluster from {{srcDevice_ip}} |
| Score/Severity | Static: 3 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0006, _mitreAttackTechnique:T1552.007 |
| Origin | Field |
|---|---|
| Normalized Schema | action |
| Normalized Schema | cloud_provider |
| Normalized Schema | cloud_service |
| Direct from Record | fields["message.objectRef.resource"] |
| Normalized Schema | http_response_statusCode |
| Normalized Schema | srcDevice_ip |