Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.
Volume of Kubernetes API audit events per source IP
Display the count of Kubernetes API audit events generated from a given source IP address for each Nexus cluster.
NCCKubernetesAPIAuditLogs
| where ResponseStatusCode != 401 // Exclude unauthorized responses
| summarize Count = count() by SourceIps, ClusterName
| sort by Count desc
Volume of Kubernetes API audit events per user
Display the count of Kubernetes API audit events generated from a given user for each Nexus cluster.
NCCKubernetesAPIAuditLogs
| where ResponseStatusCode != 401 // Exclude unauthorized responses
| summarize Count = count() by User, ClusterName
| sort by Count desc
Failed Kubernetes API requests
Display failed Kubernetes API requests (4xx and 5xx status codes) grouped by response code and verb for each Nexus cluster.
NCCKubernetesAPIAuditLogs
| where ResponseStatusCode >= 400 // Failed requests (4xx and 5xx)
| summarize Count = count() by ResponseStatusCode, Verb, ClusterName
| sort by Count desc
Kubernetes deployment modification audit events
Query for Kubernetes API audit events showing modifications (create, update, patch, delete) to deployments in Nexus clusters.
NCCKubernetesAPIAuditLogs
| where ObjectRef contains "deployments"
| where Verb in ("create", "update", "patch", "delete")
| project TimeGenerated, Verb, RequestUri, User, ObjectRef, ResponseStatusCode, ClusterName
| sort by TimeGenerated desc
| limit 100