AKS Container Insights and Pod Telemetry

Cloud & SaaSExecution EvidenceCloud Control PlaneSIEM / Log Aggregator

Location

Azure Monitor Container Insights / Log Analytics tables (ContainerLogV2, KubePodInventory, KubeEvents)

Description

Runtime telemetry for AKS pods and nodes including container stdout/stderr logs, pod inventory changes, namespace placement, image names, restart activity, and Kubernetes event streams.

Forensic Value

Container telemetry links control-plane actions to runtime behavior. It exposes suspicious images pulled into the cluster, ephemeral attacker pods, repeated crash loops caused by tampering, exec-based troubleshooting shells, and workloads that contacted unexpected destinations. Combined with Kubernetes audit logs, Container Insights reconstructs both who launched a workload and what it did after launch.

Tools Required

Azure MonitorLog AnalyticsKQLkubectl

Collection Commands

KQL

ContainerLogV2 | where TimeGenerated > ago(7d) | project TimeGenerated, PodNamespace, PodName, ContainerName, LogMessage

KQL

KubePodInventory | where TimeGenerated > ago(7d) | project TimeGenerated, Namespace, PodName, ContainerName, ContainerID, Image, PodStatus

KQL

KubeEvents | where TimeGenerated > ago(7d) | project TimeGenerated, Namespace, Name, Reason, Message

MITRE ATT&CK Techniques

T1525T1610T1611T1059

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical