Queries for the AKSAudit table
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Volume of Kubernetes audit events per SourceIp
Display the count of Kubernetes audit events generated from a given source IP address for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.
AKSAudit
| where ResponseStatus.code != 401 // Exclude unauthorized responses
| mv-expand SourceIps // Expand the list of SourceIp entries into individual rows
| summarize Count = count() by SourceIp = tostring(SourceIps), ResourceId = _ResourceId
| sort by Count desc