diff --git a/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml
new file mode 100644
index 00000000000..09a4e75db4b
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml
@@ -0,0 +1,24 @@
+title: Deployment Deleted From Kubernetes Cluster
+id: 40967487-139b-4811-81d9-c9767a92aa5a
+status: experimental
+description: |
+    Detects the removal of a deployment from a Kubernetes cluster.
+    This could indicate disruptive activity aiming to impact business operations.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1498
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'delete'
+        objectRef.resource: 'deployments'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml
new file mode 100644
index 00000000000..0bf5fc60a9f
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml
@@ -0,0 +1,27 @@
+title: Kubernetes Events Deleted
+id: 3132570d-cab2-4561-9ea6-1743644b2290
+related:
+    - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
+      type: derived
+status: experimental
+description: |
+    Detects when events are deleted in Kubernetes.
+    An adversary may delete Kubernetes events in an attempt to evade detection.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1070
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'delete'
+        objectRef.resource: 'events'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml
new file mode 100644
index 00000000000..1e4b37253a9
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml
@@ -0,0 +1,24 @@
+title: Potential Remote Command Execution In Pod Container
+id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
+status: experimental
+description: |
+    Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1609
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        objectRef.subresource: 'exec'
+    condition: selection
+falsepositives:
+    - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
+level: medium
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml
new file mode 100644
index 00000000000..f4b074a18e2
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml
@@ -0,0 +1,27 @@
+title: Container With A hostPath Mount Created
+id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
+status: experimental
+description: |
+    Detects creation of a container with a hostPath mount.
+    A hostPath volume mounts a directory or a file from the node to the container.
+    Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
+    - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1611
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
+    condition: selection
+falsepositives:
+    - The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
+level: low
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml
new file mode 100644
index 00000000000..dc9877f1ed9
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml
@@ -0,0 +1,27 @@
+title: Creation Of Pod In System Namespace
+id: a80d927d-ac6e-443f-a867-e8d6e3897318
+status: experimental
+description: |
+    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
+    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
+    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
+    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1036.005
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        objectRef.namespace: kube-system
+    condition: selection
+falsepositives:
+    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
+level: medium
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml
new file mode 100644
index 00000000000..ccdcff12f63
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml
@@ -0,0 +1,29 @@
+title: Privileged Container Deployed
+id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
+status: experimental
+description: |
+    Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
+    A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
+    Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/
+    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer
+    - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html
+    - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1611
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'pods'
+        capabilities: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml
new file mode 100644
index 00000000000..0e41fb7c2d9
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml
@@ -0,0 +1,28 @@
+title: RBAC Permission Enumeration Attempt
+id: 84b777bd-c946-4d17-aa2e-c39f5a454325
+status: experimental
+description: |
+    Detects identities attempting to enumerate their Kubernetes RBAC permissions.
+    In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
+    In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
+    This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
+references:
+    - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1069.003
+    - attack.t1087.004
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        apiGroup: 'authorization.k8s.io'
+        objectRef.resource: 'selfsubjectrulesreviews'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml
new file mode 100644
index 00000000000..6dc529595c0
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml
@@ -0,0 +1,25 @@
+title: Kubernetes Secrets Enumeration
+id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
+related:
+    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
+      type: derived
+status: experimental
+description: Detects enumeration of Kubernetes secrets.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1552.007
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'list'
+        objectRef.resource: 'secrets'
+    condition: selection
+falsepositives:
+    - The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
+level: low
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml
new file mode 100644
index 00000000000..7316b841069
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml
@@ -0,0 +1,26 @@
+title: New Kubernetes Service Account Created
+id: e31bae15-83ed-473e-bf31-faf4f8a17d36
+related:
+    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
+      type: derived
+status: experimental
+description: |
+    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
+references:
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1136
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'create'
+        objectRef.resource: 'serviceaccounts'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml
new file mode 100644
index 00000000000..e2bdefd17e3
--- /dev/null
+++ b/rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml
@@ -0,0 +1,28 @@
+title: Potential Sidecar Injection Into Running Deployment
+id: ad9012a6-e518-4432-9890-f3b82b8fc71f
+status: experimental
+description: |
+    Detects attempts to inject a sidecar container into a running deployment.
+    A sidecar container is an additional container within a pod, that resides alongside the main container.
+    One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
+    By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
+references:
+    - https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
+    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
+author: Leo Tsaousis (@laripping)
+date: 2024/03/26
+tags:
+    - attack.t1609
+logsource:
+    category: application
+    product: kubernetes
+    service: audit
+detection:
+    selection:
+        verb: 'patch'
+        apiGroup: 'apps'
+        objectRef.resource: 'deployments'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/tests/logsource.json b/tests/logsource.json
index 1f6d7b8c975..615da9d98fc 100644
--- a/tests/logsource.json
+++ b/tests/logsource.json
@@ -194,6 +194,16 @@
             },
             "service":{}
         },
+        "kubernetes":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{
+                "audit": []
+            }
+        },
         "python":{
             "commun": [],
             "empty": [],