Unexpected Azure API calls indicating AKS cluster deletion
Description
AlphaSOC detected the deletion of an Azure Kubernetes Service (AKS) cluster via
Microsoft.ContainerService/managedClusters/delete. AKS cluster deletion is a
destructive operation that removes all workloads, configurations, and data
associated with the cluster. While cluster deletion occurs during legitimate
decommissioning, threat actors may delete clusters as part of sabotage
operations, ransomware attacks, or to cover tracks after data exfiltration.
Impact
Deleting an AKS cluster immediately terminates all running workloads and destroys associated data. This can cause significant service disruption and data loss. Threat actors may target clusters to maximize impact during ransomware operations or to eliminate evidence of their activities within container environments.
Severity
| Severity | Condition |
|---|---|
Low | AKS cluster deletion detected |
Medium | Anomalous AKS cluster deletion |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.ContainerService/managedClusters/delete action. Identify the
principal responsible for the deletion and the specific cluster that was
removed. Verify whether this was a planned decommissioning activity with
appropriate change management approval.
If unauthorized, assess the impact by identifying what workloads were running on the cluster. Review audit logs for other suspicious activities from the same principal. Rotate credentials for the compromised identity, implement RBAC restrictions to limit cluster deletion permissions, and consider enabling soft delete or resource locks for critical AKS clusters.
Known False Positives
- Planned infrastructure decommissioning
- Migration to new cluster architectures