Skip to main content

Azure Kubernetes Services

Details
Content
Dependencies
Version History

Download With Dependencies

Deploy and manage containerized applications with a fully managed Kubernetes service.

Azure Kubernetes Services (AKS)

### This pack includes:

Data normalization capabilities:

Rules for parsing and modeling Azure AKS Resource Logs that are ingested via the Azure Event Hub data source on Cortex XSIAM.
- When configuring the Azure Event Hub data source, mark the following checkbox under the Enhanced Cloud Protection section:
  - Use audit logs in analytics
- The ingested Azure AKS resource logs can be queried in XQL Search using the msft_azure_aks_raw dataset.

Pay Attention:
This pack should only be installed after installing the Azure Logs pack.

Supported log categories

Azure Log Analytics Table	Category	Category Display Name
AKSAudit	kube-audit	Kubernetes Audit
AKSAuditAdmin	kube-audit-admin	Kubernetes Audit Admin Logs
AKSControlPlane	kube-apiserver	Kubernetes API Server
AKSControlPlane	kube-controller-manager	Kubernetes Controller Manager
AKSControlPlane	kube-scheduler	Kubernetes Scheduler
AKSControlPlane	cloud-controller-manager	Kubernetes Cloud Controller Manager
AKSControlPlane	cluster-autoscaler	Kubernetes Cluster Autoscaler
AKSControlPlane	guard	Guard

Timestamp Ingestion:

For msft_azure_aks_raw, timestamp ingestion is according to one of the following fields;

requestreceivedtime
TimeGenerated
properties.log.requestReceivedTimestamp

In UTC time zone YYYY-mm-ddTHH:MM:SS.ssssZ format. E.g; 2025-02-04T11:23:29.0324070Z

Integrations

Name	Description
Azure Kubernetes Services	Deploy and manage containerized applications with a fully managed Kubernetes service.

Integrations

Name	Description
Azure Kubernetes Services	Deploy and manage containerized applications with a fully managed Kubernetes service.

Modeling Rules

Name	Description
Azure AKS Modeling Rule

Parsing Rules

Name	Description
Azure AKS Parsing Rule

1.2.5 - R2988287 (March 26, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 38912

Download

1.2.4 - R2040490 (January 22, 2025)

Integrations

Azure Kubernetes Services

Updated the Docker image to: demisto/crypto:1.0.0.114611.

Related pull requests:
- 37375
- 37353

Download

1.2.3 - 1669335 (November 19, 2024)

Integrations

Azure Kubernetes Services

Fixed an issue in MicrosoftApiModule where the GCC High Defender endpoint was incorrect.

Related pull requests:
- 37253

Download

1.2.2 - 1480610 (October 8, 2024)

Integrations

Azure Kubernetes Services

Added infrastructure support for Microsoft Graph Application endpoints.

Related pull requests:
- 36407

Download

1.2.1 - 1244506 (August 5, 2024)

Integrations

Azure Kubernetes Services

Updated the MicrosoftApiModule with exchange_online endpoints.

Related pull requests:
- 34917
- 34909
- 34903
- 34906
- 34147
- 34217
- 34908
- 34619
- 34911
- 34823
- 34837
- 34918
- 34816
- 34630
- 34871
- 34767
- 34879
- 34912
- 34840
- 34931
- 34892
- 34920
- 34926
- 34814
- 34811
- 34964
- 34967
- 34979
- 34921
- 34990
- 34896
- 34966
- 34985
- 34983
- 34255
- 34975
- 34999
- 34913
- 35000
- 34990
- 35002
- 34932
- 34862
- 35005
- 34868
- 34977
- 35009
- 34969
- 34591
- 34693
- 34657
- 34671
- 34681
- 34676
- 34672
- 34372
- 34701
- 34660
- 34684
- 34700
- 34702
- 34696
- 34117
- 34704
- 34706
- 34692
- 33735
- 34714
- 34703
- 34353
- 34725
- 34694
- 34734
- 34640
- 34724
- 34652
- 34443
- 34730
- 34653
- 34732
- 34667
- 34709
- 34755
- 34759
- 32423
- 34598
- 34758
- 34745
- 34762
- 34327
- 34742
- 34474
- 34766
- 34774
- 34782
- 34763
- 34756
- 34747
- 34645
- 34532
- 34675
- 34777
- 34788
- 34804
- 34729
- 34796
- 34691
- 34784
- 34783
- 34765
- 34485
- 34768
- 34593
- 34813
- 34818
- 34832
- 34772
- 34830
- 34833
- 34829
- 34834
- 34839
- 34828
- 34388
- 34838
- 34761
- 34858
- 34861
- 34764
- 34738
- 34538
- 34831
- 34748
- 34846
- 34845
- 34864
- 34817
- 34686
- 34865
- 34867
- 34863
- 34880
- 34876
- 34386
- 34881
- 34884
- 34799
- 34827
- 34883
- 34886
- 34512
- 34887
- 34889
- 34877
- 34904
- 34905
- 34909
- 34903
- 34906
- 34147
- 34217
- 34908
- 34619
- 34911
- 34823
- 34837
- 34918
- 34816
- 34630
- 34871
- 34767
- 34879
- 34912
- 34840
- 34931
- 34892
- 34920
- 34926
- 34814
- 34811
- 34964
- 34967
- 34979
- 34921
- 34990
- 34896
- 34966
- 34985
- 34983
- 34255
- 34608
- 35026
- 35029
- 35015
- 35023
- 34776
- 34654
- 34978
- 34986
- 34938
- 34506
- 35011
- 35014
- 34779
- 35019
- 35039
- 34897
- 35049
- 35016
- 35046
- 35051
- 35040
- 34614
- 32477

Download

1.2.0 - 1155254 (July 7, 2024)

Integrations

Azure Kubernetes Services

Added support for the Client Credentials authentication flow.

Related pull requests:
- 35161

Download

1.1.26 - 1066075 (June 3, 2024)

Integrations

Azure Kubernetes Services

Fixed an issue in where the GCC endpoints were incorrect in the supported integrations.

Related pull requests:
- 34634

Download

1.1.25 - 1051712 (May 28, 2024)

Integrations

Azure Kubernetes Services

Added support for Microsoft Defender 365 Endpoint in the Microsoft API Module.
Updated the MicrosoftApiModule to better handle the Authorization Code flow in the supported integrations.
Updated the Docker image to: demisto/crypto:1.0.0.96042.

Related pull requests:
- 34495

Download

1.1.24 - 1021616 (May 16, 2024)

Integrations

Azure Kubernetes Services

Fixed an issue in MicrosoftApiModule where the GCC endpoints were incorrect.

Related pull requests:
- 34360

Download

1.1.23 - 919924 (March 28, 2024)

Integrations

Azure Kubernetes Services

Added a timeout value to the retry on rate limit mechanism.

Related pull requests:
- 33566

Download

1.2.5 - R2988287 (March 26, 2025)

Modeling Rules

New: Azure AKS Modeling Rule

New: Added a new modeling rule- Azure AKS Modeling Rule that normalizes log field to XDM fields.
(Available from Cortex XSIAM 2.5).

Parsing Rules

New: Azure AKS Parsing Rule

New: Added a new parsing rule- Azure AKS Parsing Rule that ingests log timestamps for an accurate display of events.
(Available from Cortex XSIAM 2.5).

Related pull requests:
- 38912

Download

1.2.4 - R2040490 (January 22, 2025)

Integrations

Azure Kubernetes Services

Updated the Docker image to: demisto/crypto:1.0.0.114611.

Related pull requests:
- 37375
- 37353

Download

1.2.3 - 1669335 (November 19, 2024)

Integrations

Azure Kubernetes Services

Fixed an issue in MicrosoftApiModule where the GCC High Defender endpoint was incorrect.

Related pull requests:
- 37253

Download

1.2.2 - 1480610 (October 8, 2024)

Integrations

Azure Kubernetes Services

Added infrastructure support for Microsoft Graph Application endpoints.

Related pull requests:
- 36407

Download

1.2.1 - 1244506 (August 5, 2024)

Integrations

Azure Kubernetes Services

Updated the MicrosoftApiModule with exchange_online endpoints.

Related pull requests:
- 34917
- 34909
- 34903
- 34906
- 34147
- 34217
- 34908
- 34619
- 34911
- 34823
- 34837
- 34918
- 34816
- 34630
- 34871
- 34767
- 34879
- 34912
- 34840
- 34931
- 34892
- 34920
- 34926
- 34814
- 34811
- 34964
- 34967
- 34979
- 34921
- 34990
- 34896
- 34966
- 34985
- 34983
- 34255
- 34975
- 34999
- 34913
- 35000
- 34990
- 35002
- 34932
- 34862
- 35005
- 34868
- 34977
- 35009
- 34969
- 34591
- 34693
- 34657
- 34671
- 34681
- 34676
- 34672
- 34372
- 34701
- 34660
- 34684
- 34700
- 34702
- 34696
- 34117
- 34704
- 34706
- 34692
- 33735
- 34714
- 34703
- 34353
- 34725
- 34694
- 34734
- 34640
- 34724
- 34652
- 34443
- 34730
- 34653
- 34732
- 34667
- 34709
- 34755
- 34759
- 32423
- 34598
- 34758
- 34745
- 34762
- 34327
- 34742
- 34474
- 34766
- 34774
- 34782
- 34763
- 34756
- 34747
- 34645
- 34532
- 34675
- 34777
- 34788
- 34804
- 34729
- 34796
- 34691
- 34784
- 34783
- 34765
- 34485
- 34768
- 34593
- 34813
- 34818
- 34832
- 34772
- 34830
- 34833
- 34829
- 34834
- 34839
- 34828
- 34388
- 34838
- 34761
- 34858
- 34861
- 34764
- 34738
- 34538
- 34831
- 34748
- 34846
- 34845
- 34864
- 34817
- 34686
- 34865
- 34867
- 34863
- 34880
- 34876
- 34386
- 34881
- 34884
- 34799
- 34827
- 34883
- 34886
- 34512
- 34887
- 34889
- 34877
- 34904
- 34905
- 34909
- 34903
- 34906
- 34147
- 34217
- 34908
- 34619
- 34911
- 34823
- 34837
- 34918
- 34816
- 34630
- 34871
- 34767
- 34879
- 34912
- 34840
- 34931
- 34892
- 34920
- 34926
- 34814
- 34811
- 34964
- 34967
- 34979
- 34921
- 34990
- 34896
- 34966
- 34985
- 34983
- 34255
- 34608
- 35026
- 35029
- 35015
- 35023
- 34776
- 34654
- 34978
- 34986
- 34938
- 34506
- 35011
- 35014
- 34779
- 35019
- 35039
- 34897
- 35049
- 35016
- 35046
- 35051
- 35040
- 34614
- 32477

Download

1.2.0 - 1155254 (July 7, 2024)

Integrations

Azure Kubernetes Services

Added support for the Client Credentials authentication flow.

Related pull requests:
- 35161

Download

1.1.26 - 1066075 (June 3, 2024)

Integrations

Azure Kubernetes Services

Fixed an issue in where the GCC endpoints were incorrect in the supported integrations.

Related pull requests:
- 34634

Download

1.1.25 - 1051712 (May 28, 2024)

Integrations

Azure Kubernetes Services

Added support for Microsoft Defender 365 Endpoint in the Microsoft API Module.
Updated the MicrosoftApiModule to better handle the Authorization Code flow in the supported integrations.
Updated the Docker image to: demisto/crypto:1.0.0.96042.

Related pull requests:
- 34495

Download

1.1.24 - 1021616 (May 16, 2024)

Integrations

Azure Kubernetes Services

Fixed an issue in MicrosoftApiModule where the GCC endpoints were incorrect.

Related pull requests:
- 34360

Download

1.1.23 - 919924 (March 28, 2024)

Integrations

Azure Kubernetes Services

Added a timeout value to the retry on rate limit mechanism.

Related pull requests:
- 33566

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	February 2, 2021
Last Release	March 26, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

Azure Kubernetes Services

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.