Azure Kubernetes Service (AKS) Activity Logs
Location
Azure Portal > Monitor > Activity Log filtered to Microsoft.ContainerService/managedClustersDescription
Azure control-plane activity logs for AKS clusters covering cluster creation, upgrade, scale changes, diagnostic-setting updates, role assignments, credential rotations, and managed cluster delete operations with caller identity and source IP.
Forensic Value
AKS activity logs show who changed the cluster control plane and when. They are essential for identifying malicious credential rotations, unauthorized cluster admin grants, node pool changes used to stage attacker workloads, and deletion or logging-tampering actions. Correlating caller identity with Entra ID sign-ins reveals whether cluster changes came from compromised administrators, workload identities, or automation accounts.
Tools Required
Collection Commands
az CLI
az monitor activity-log list --resource-group <rg> --offset 30d --query "[?contains(operationName.value, `Microsoft.ContainerService/managedClusters`)]" > aks_activity.json
PowerShell
Get-AzLog -ResourceGroupName <rg> -StartTime (Get-Date).AddDays(-30) | Where-Object { $_.ResourceProviderName.Value -like "Microsoft.ContainerService*" } | Export-Csv aks_activity.csv -NoTypeInformationKQL
AzureActivity | where TimeGenerated > ago(30d) | where ResourceProvider has "Microsoft.ContainerService" | project TimeGenerated, OperationNameValue, Caller, CallerIpAddress, ResourceGroup, ActivityStatusValue
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.