Queries for the AKSAuditAdmin table
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Volume of admin Kubernetes audit events per username
Display the count of admin Kubernetes audit events generated from a given user name for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.
AKSAuditAdmin
| where ResponseStatus.code != 401 // Exclude unauthorized responses
| summarize Count = count() by Username = tostring(User.username), ResourceId = _ResourceId
| sort by Count desc
Admin Kubernetes audit events for deployment
Query for admin Kubernetes audit events against deployments within the default namespace. Requires Diagnostic Settings to use the Resource Specific destination table.
AKSAuditAdmin
| where ObjectRef.resource == "deployments"
| where ObjectRef.namespace == "default"
| where User.username != "system:serviceaccount:kube-system:deployment-controller" // Exclude updates from the kube controller for deployments
| limit 100
| project TimeGenerated, Verb, RequestUri, User, RequestObject, ObjectRef