79660475

Date: 2025-06-10 13:03:38
Score: 2
Natty:
Report link

The activity logs primarily capture operations made via ARM such as cluster Cration or deletion and fetching user or admin kubeconfig credentials

MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/LISTCLUSTERUSERCREDENTIAL/ACTION
MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/LISTCLUSTERADMINCREDENTIAL/ACTION

These events only represent ARM level operations and do not capture inside cluster activities like kubectl apply delete or direct pod/service/deployment changes because such operations are handled by the K8s API server itself not by Azure control plane.

Microsoft.ContainerService/managedClusters/diagnosticLogs/Read this indicates that someone viewed or chaked the diagnostic settings of the AKD cluster in azure, but this is not related to K8s level activity like actual resource modification inside the cluster.

You capture manual changes inside the aks cluster like what you do using kubectl enable K8s Audit logs via diagnostic settings > aks cluster > diagnostic settings > send the following to a log analytics workspace kube-apiserver logs, once enabled query the kubeaudit table in log analytics.

Sample KQL:

KubeAudit
| where verb in ("create", "update", "delete")
| project TimeGenerated, user, verb, objectRef_resource, objectRef_name, objectRef_namespace
| sort by TimeGenerated desc

This will give you time generated like when the action occurred and who performed the action and action type like create update or delete. also, you can find what resources was touched and name and namespace of the object.

NOTE: activity logs Connot see kubectl or in cluster operations only kubeaudit logs will show actual K8s operations like pod creation deletion or config updates, make sure the correct diagnostic settings are enabled otherwise the kubeaudit table won't have the data you expect.

If your goal is to detect manual or automated changes inside the aks cluster via kubectl or API, you must use KubeAudit logs via Log Analytics, not Activity Logs.

Doc:

https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-log-query#resource-logs

https://learn.microsoft.com/en-us/azure/aks/monitor-aks?tabs=cilium

https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-logs-overview

Let me know any thoughts or doubts will glad to help you out. -Thank you @pks

Reasons:
  • Blacklisted phrase (0.5): Thank you
  • Blacklisted phrase (1.5): any thoughts
  • Long answer (-1):
  • Has code block (-0.5):
  • User mentioned (1): @pks
  • Low reputation (0.5):
Posted by: Bheemani Anji Babu