Queries for the AKSAudit table

Article
07/30/2024

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Volume of Kubernetes audit events per SourceIp

Display the count of Kubernetes audit events generated from a given source IP address for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.

AKSAudit
| where ResponseStatus.code != 401  // Exclude unauthorized responses
| mv-expand SourceIps               // Expand the list of SourceIp entries into individual rows
| summarize Count = count() by SourceIp = tostring(SourceIps), ResourceId = _ResourceId
| sort by Count desc

Share via

Queries for the AKSAudit table

Volume of Kubernetes audit events per SourceIp

Feedback

Additional resources