Azure Kubernetes Services (AKS)
This pack includes
Data normalization capabilities:
- Rules for parsing and modeling Azure AKS Resource Logs that are ingested via the Azure Event Hub data source on Cortex XSIAM.
- When configuring the Azure Event Hub data source, mark the following checkbox under the Enhanced Cloud Protection section:
Use audit logs in analytics- The ingested Azure AKS resource logs can be queried in XQL Search using the
msft_azure_aks_rawdataset.
Pay Attention:
This pack should only be installed after installing the Azure Logs pack.
Supported log categories
| Azure Log Analytics Table | Category | Category Display Name |
|---|---|---|
| AKSAudit | kube-audit | Kubernetes Audit |
| AKSAuditAdmin | kube-audit-admin | Kubernetes Audit Admin Logs |
| AKSControlPlane | kube-apiserver | Kubernetes API Server |
| AKSControlPlane | kube-controller-manager | Kubernetes Controller Manager |
| AKSControlPlane | kube-scheduler | Kubernetes Scheduler |
| AKSControlPlane | cloud-controller-manager | Kubernetes Cloud Controller Manager |
| AKSControlPlane | cluster-autoscaler | Kubernetes Cluster Autoscaler |
| AKSControlPlane | guard | Guard |
Timestamp Ingestion
For msft_azure_aks_raw, timestamp ingestion is according to one of the following fields;
- requestreceivedtime
- TimeGenerated
- properties.log.requestReceivedTimestamp
- time
In UTC time zone YYYY-mm-ddTHH:MM:SS.ssssZ format. E.g; 2025-02-04T11:23:29.0324070Z
