Queries for the AKSAuditAdmin table
Volume of admin Kubernetes audit events per username
Display the count of admin Kubernetes audit events generated from a given user name for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.
AKSAuditAdmin
| where ResponseStatus.code != 401 // Exclude unauthorized responses
| summarize Count = count() by Username = tostring(User.username), ResourceId = _ResourceId
| sort by Count desc
Admin Kubernetes audit events for deployment
Query for admin Kubernetes audit events against deployments within the default namespace. Requires Diagnostic Settings to use the Resource Specific destination table.
AKSAuditAdmin
| where ObjectRef.resource == "deployments"
| where ObjectRef.namespace == "default"
| where User.username != "system:serviceaccount:kube-system:deployment-controller" // Exclude updates from the kube controller for deployments
| limit 100
| project TimeGenerated, Verb, RequestUri, User, RequestObject, ObjectRef
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for