AKS Kubernetes Audit Logs
Location
Azure Monitor diagnostic settings for AKS (categories: kube-audit, kube-audit-admin)Description
Kubernetes API server audit records for AKS capturing authenticated requests against cluster resources, including pods, secrets, configmaps, role bindings, service accounts, exec sessions, and admission decisions.
Forensic Value
Kubernetes audit logs are the primary source for reconstructing attacker actions inside the cluster control plane. They reveal pod exec abuse, secret reads, privileged workload creation, cluster role binding changes, token misuse, and direct API access to sensitive resources. When retained in Log Analytics or Sentinel they provide the only reliable record of many in-cluster administrative actions.
Tools Required
Collection Commands
KQL
AKSAudit | where TimeGenerated > ago(30d) | project TimeGenerated, Verb, UserAgent, UserUsername, SourceIps, RequestURI, ObjectRefResource, ResponseStatusCode
KQL
AKSAuditAdmin | where TimeGenerated > ago(30d) | where Verb in ("create", "patch", "delete", "update") | project TimeGenerated, UserUsername, Verb, RequestURI, ResponseStatusCodekubectl
kubectl get events --all-namespaces --sort-by=.metadata.creationTimestamp
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.