Queries for the AKSAudit table
Volume of Kubernetes audit events per SourceIp
Display the count of Kubernetes audit events generated from a given source IP address for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.
AKSAudit
| where ResponseStatus.code != 401 // Exclude unauthorized responses
| mv-expand SourceIps // Expand the list of SourceIp entries into individual rows
| summarize Count = count() by SourceIp = tostring(SourceIps), ResourceId = _ResourceId
| sort by Count desc
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for