Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Top 10 active Kubernetes pods
Get the top 10 Kubernetes pods with the most process events.
CloudProcessEvents
| summarize Count = count() by KubernetesNamespace, KubernetesPodName
| top 10 by Count
Process creation events in containers
Process creation events grouped by process name and container image.
CloudProcessEvents
| where ActionType has "ProcessCreated"
| summarize Count = count() by ProcessName, ContainerImageName
| order by Count desc
| limit 100
Suspicious commands in containers
Process events with potentially suspicious commands like curl, wget, bash, or sh.
CloudProcessEvents
| where ProcessCommandLine has_any ("curl", "wget", "bash", "sh")
| project TimeGenerated, KubernetesNamespace, KubernetesPodName, ProcessName, ProcessCommandLine, AccountName
| limit 100