Azure Kubernetes Service (AKS) solution for Sentinel
Solution: Azure kubernetes Service
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 2.0.2 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-06-01 |
| Solution Folder | Azure kubernetes Service |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (78%) |
The Azure Kubernetes Services (AKS) solution allows you to ingest AKS activity logs using Diagnostic Setting into Microsoft Sentinel.
Underlying Microsoft Technologies used:
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
a. Azure Monitor Resource Diagnostics
Contents
Data Connectors
This solution provides 1 data connector(s):
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 3 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
AzureDiagnostics 🔶 |
Azure Kubernetes Service (AKS) | Hunting, Workbooks |
ContainerInventory |
Azure Kubernetes Service (AKS) | - |
KubeEvents |
Azure Kubernetes Service (AKS) | - |
Internal Tables
The following 1 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
SecurityAlert |
- | Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 3 content item(s):
| Content Type | Count |
|---|---|
| Hunting Queries | 2 |
| Workbooks | 1 |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Azure RBAC AKS created role details | Persistence | AzureDiagnostics |
| Determine users with cluster admin role | Persistence | AzureDiagnostics |
Workbooks
| Name | Tables Used |
|---|---|
| AksSecurity | AzureDiagnosticsInternal use: SecurityAlert |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊