Queries for the AKSAuditAdmin table

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Volume of admin Kubernetes audit events per username

Display the count of admin Kubernetes audit events generated from a given user name for each AKS cluster. Requires Diagnostic Settings to use the Resource Specific destination table.

AKSAuditAdmin
| where ResponseStatus.code != 401 // Exclude unauthorized responses
| summarize Count = count() by Username = tostring(User.username), ResourceId = _ResourceId
| sort by Count desc

Admin Kubernetes audit events for deployment

Query for admin Kubernetes audit events against deployments within the default namespace. Requires Diagnostic Settings to use the Resource Specific destination table.

AKSAuditAdmin
| where ObjectRef.resource == "deployments"
| where ObjectRef.namespace == "default"
| where User.username != "system:serviceaccount:kube-system:deployment-controller" // Exclude updates from the kube controller for deployments
| limit 100
| project TimeGenerated, Verb, RequestUri, User, RequestObject, ObjectRef

Feedback

Was this page helpful?

Additional resources

Last updated on

URL: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/queries/aksauditadmin

⇱ Example log table queries for AKSAuditAdmin - Azure Monitor | Microsoft Learn

Queries for the AKSAuditAdmin table

Volume of admin Kubernetes audit events per username

Admin Kubernetes audit events for deployment

Feedback

Additional resources