This detection rule is designed to identify when an Azure Kubernetes Cluster is either created or deleted. It monitors specific operations within Azure's activity logs related to the Kubernetes service, specifically looking for write and delete operations on connected clusters. This is critical for ensuring that any unauthorized or unintended changes to Kubernetes resources are detected promptly. The rule captures events where there might be malicious intent to manipulate Kubernetes infrastructure which could lead to security breaches or service disruption. Given the sensitivity of Kubernetes clusters in cloud-native environments, it is essential to have a mechanism in place to track and respond to such changes effectively. Detection overarching strategies emphasize scrutiny on administrative actions, enhancing visibility into user operations, and validating that actions align with established operational protocols.