Queries for the AKSAudit table

Article
03/26/2024

Volume of Kubernetes audit events per SourceIp

Display the count of Kubernetes audit events generated from a given source IP address for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.

AKSAudit
| where ResponseStatus.code != 401  // Exclude unauthorized responses
| mv-expand SourceIps               // Expand the list of SourceIp entries into individual rows
| summarize Count = count() by SourceIp = tostring(SourceIps), ResourceId = _ResourceId
| sort by Count desc

Feedback

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

This product This page

View all page feedback

Queries for the AKSAudit table

Volume of Kubernetes audit events per SourceIp

Feedback

Feedback

Additional resources