Azure Arc Kubernetes Azure-Microsoft.Kubernetes

29 operations, identified by operationName in the audit log.

operationName	Description
_catch_all	Catch-all for Azure-Microsoft.Kubernetes rules matching the resource provider but no specific operation.
Microsoft.Kubernetes/connectedClusters/configmaps/delete	Deletes a Kubernetes ConfigMap on an Azure Arc-connected cluster via the ARM proxy.
Microsoft.Kubernetes/connectedClusters/configmaps/write	Creates or updates a Kubernetes ConfigMap on an Arc-connected cluster; may be used to inject configuration or override application settings.
Microsoft.Kubernetes/connectedClusters/delete	Deletes the Azure Arc connected cluster resource, disconnecting the cluster from Azure management.
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/delete	Deletes Kubernetes event objects on an Arc-connected cluster; may be used to cover traces of cluster activity.
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/delete	Deletes a network policy in the extensions API group on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/write	Creates or updates a network policy in the extensions API group on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action	Retrieves user-level credentials for an Arc-connected Kubernetes cluster; used to obtain kubeconfig for cluster access.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/delete	Deletes a Kubernetes NetworkPolicy resource on an Arc-connected cluster, potentially removing network segmentation.
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/write	Creates or updates a Kubernetes NetworkPolicy on an Arc-connected cluster, controlling pod-to-pod traffic.
Microsoft.Kubernetes/connectedClusters/pods/delete	Deletes a Kubernetes pod on an Arc-connected cluster via the ARM proxy.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete	Deletes a Kubernetes ClusterRoleBinding on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write	Creates or updates a Kubernetes ClusterRoleBinding on an Arc-connected cluster, granting cluster-wide RBAC permissions.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action	Allows binding of a ClusterRole on an Arc-connected cluster without write permission on the role itself.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete	Deletes a Kubernetes ClusterRole on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action	Allows writing a ClusterRole with permissions beyond the caller's own; a privilege-escalation action on Arc-connected clusters.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write	Creates or updates a Kubernetes ClusterRole on an Arc-connected cluster, defining cluster-wide permission rules.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete	Deletes a Kubernetes RoleBinding on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write	Creates or updates a Kubernetes RoleBinding on an Arc-connected cluster, granting namespace-scoped RBAC permissions.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action	Allows binding of a namespace-scoped Role on an Arc-connected cluster without write permission on the role itself.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete	Deletes a namespace-scoped Kubernetes Role on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action	Allows writing a namespace-scoped Role with permissions beyond the caller's own; a privilege-escalation action.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write	Creates or updates a namespace-scoped Kubernetes Role on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/secrets/delete	Deletes a Kubernetes Secret on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/secrets/write	Creates or updates a Kubernetes Secret on an Arc-connected cluster; may be used to inject credentials or tokens.
Microsoft.Kubernetes/connectedClusters/serviceaccounts/delete	Deletes a Kubernetes ServiceAccount on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/serviceaccounts/impersonate/action	Allows impersonating a Kubernetes ServiceAccount on an Arc-connected cluster, enabling privilege escalation via token use.
Microsoft.Kubernetes/connectedClusters/serviceaccounts/write	Creates or updates a Kubernetes ServiceAccount on an Arc-connected cluster.
Microsoft.Kubernetes/connectedClusters/write	Creates or updates an Azure Arc connected Kubernetes cluster resource.

_catch_all: Azure Arc Kubernetes (catch-all)

Resource provider: Azure-Microsoft.Kubernetes

Description

Catch-all for Azure-Microsoft.Kubernetes rules matching the resource provider but no specific operation.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/configmaps/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes ConfigMap on an Azure Arc-connected cluster via the ARM proxy.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Secret or Config Object Access source medium: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.↳ also matches Microsoft.Kubernetes/connectedClusters/configmaps/write, Microsoft.Kubernetes/connectedClusters/secrets/delete, Microsoft.Kubernetes/connectedClusters/secrets/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/configmaps/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a Kubernetes ConfigMap on an Arc-connected cluster; may be used to inject configuration or override application settings.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Secret or Config Object Access source medium: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.↳ also matches Microsoft.Kubernetes/connectedClusters/configmaps/delete, Microsoft.Kubernetes/connectedClusters/secrets/delete, Microsoft.Kubernetes/connectedClusters/secrets/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes the Azure Arc connected cluster resource, disconnecting the cluster from Azure management.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Cluster Created or Deleted source low: Detects when a Azure Kubernetes Cluster is created or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes Kubernetes event objects on an Arc-connected cluster; may be used to cover traces of cluster activity.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`event.outcome`	in	`Success`	1 rule	elastic
`event.outcome`	in	`success`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Events Deleted source medium: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Elastic #

Azure Kubernetes Services (AKS) Kubernetes Events Deleted source medium: Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a network policy in the extensions API group on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Network Policy Change source medium: Identifies when a Azure Kubernetes network policy is modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/write, Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/delete, Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a network policy in the extensions API group on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Network Policy Change source medium: Identifies when a Azure Kubernetes network policy is modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/delete, Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/delete, Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action

Resource provider: Azure-Microsoft.Kubernetes

Description

Retrieves user-level credentials for an Arc-connected Kubernetes cluster; used to obtain kubeconfig for cluster access.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`azure.activitylogs.operation_name`	eq	`MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Azure Arc Cluster Credential Access by Identity from Unusual Source source medium: Detects when a service principal or user performs an Azure Arc cluster credential listing operation from a source IP not previously associated with that identity. The listClusterUserCredential action retrieves credentials for the Arc Cluster Connect proxy, enabling kubectl access through the Azure ARM API. An adversary using stolen service principal credentials will typically call this operation from infrastructure not previously seen for that SP. By tracking the combination of caller identity and source IP, this rule avoids false positives from backend services and CI/CD pipelines that rotate IPs but maintain consistent identity-to-IP patterns over time.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes NetworkPolicy resource on an Arc-connected cluster, potentially removing network segmentation.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Network Policy Change source medium: Identifies when a Azure Kubernetes network policy is modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/delete, Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/write, Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a Kubernetes NetworkPolicy on an Arc-connected cluster, controlling pod-to-pod traffic.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Network Policy Change source medium: Identifies when a Azure Kubernetes network policy is modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/delete, Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/write, Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/delete

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/pods/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes pod on an Arc-connected cluster via the ARM proxy.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Pods Deleted source medium: Identifies the deletion of Azure Kubernetes Pods.

Elastic #

Azure Kubernetes Services (AKS) Kubernetes Pods Deleted source medium: Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes ClusterRoleBinding on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted source medium: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a Kubernetes ClusterRoleBinding on an Arc-connected cluster, granting cluster-wide RBAC permissions.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted source medium: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write

Elastic #

Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created source low: Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action

Resource provider: Azure-Microsoft.Kubernetes

Description

Allows binding of a ClusterRole on an Arc-connected cluster without write permission on the role itself.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes ClusterRole on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action

Resource provider: Azure-Microsoft.Kubernetes

Description

Allows writing a ClusterRole with permissions beyond the caller's own; a privilege-escalation action on Arc-connected clusters.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a Kubernetes ClusterRole on an Arc-connected cluster, defining cluster-wide permission rules.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes RoleBinding on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted source medium: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a Kubernetes RoleBinding on an Arc-connected cluster, granting namespace-scoped RBAC permissions.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted source medium: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/delete

Elastic #

Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created source low: Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterrolebindings/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action

Resource provider: Azure-Microsoft.Kubernetes

Description

Allows binding of a namespace-scoped Role on an Arc-connected cluster without write permission on the role itself.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a namespace-scoped Kubernetes Role on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action

Resource provider: Azure-Microsoft.Kubernetes

Description

Allows writing a namespace-scoped Role with permissions beyond the caller's own; a privilege-escalation action.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a namespace-scoped Kubernetes Role on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Sensitive Role Access source medium: Identifies when ClusterRoles/Roles are being modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/escalate/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/bind/action, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/delete, Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/secrets/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes Secret on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Secret or Config Object Access source medium: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.↳ also matches Microsoft.Kubernetes/connectedClusters/configmaps/delete, Microsoft.Kubernetes/connectedClusters/configmaps/write, Microsoft.Kubernetes/connectedClusters/secrets/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/secrets/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a Kubernetes Secret on an Arc-connected cluster; may be used to inject credentials or tokens.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Secret or Config Object Access source medium: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.↳ also matches Microsoft.Kubernetes/connectedClusters/configmaps/delete, Microsoft.Kubernetes/connectedClusters/configmaps/write, Microsoft.Kubernetes/connectedClusters/secrets/delete

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/serviceaccounts/delete

Resource provider: Azure-Microsoft.Kubernetes

Description

Deletes a Kubernetes ServiceAccount on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Service Account Modified or Deleted source medium: Identifies when a service account is modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/serviceaccounts/impersonate/action, Microsoft.Kubernetes/connectedClusters/serviceaccounts/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/serviceaccounts/impersonate/action

Resource provider: Azure-Microsoft.Kubernetes

Description

Allows impersonating a Kubernetes ServiceAccount on an Arc-connected cluster, enabling privilege escalation via token use.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Service Account Modified or Deleted source medium: Identifies when a service account is modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/serviceaccounts/delete, Microsoft.Kubernetes/connectedClusters/serviceaccounts/write

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/serviceaccounts/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates a Kubernetes ServiceAccount on an Arc-connected cluster.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Service Account Modified or Deleted source medium: Identifies when a service account is modified or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/serviceaccounts/delete, Microsoft.Kubernetes/connectedClusters/serviceaccounts/impersonate/action

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Kubernetes/connectedClusters/write

Resource provider: Azure-Microsoft.Kubernetes

Description

Creates or updates an Azure Arc connected Kubernetes cluster resource.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Kubernetes Cluster Created or Deleted source low: Detects when a Azure Kubernetes Cluster is created or deleted.↳ also matches Microsoft.Kubernetes/connectedClusters/delete

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)