How to Connect Azure Kubernetes to Azure Sentinel

Not surprisingly I had a couple customers and someone on Twitter ask recently about how they could use Azure Sentinel to query against and monitor the Kubernetes service and containers. It’s just early days for me as I start to test and expose the security events that are available in the data that is ingested, but I thought I’d at least put together the steps to connect AKS to Azure Sentinel so you can get started, too.

Connecting AKS to Azure Sentinel

Once you have your container created, go to the Monitoring section and then to Diagnostic Settings as shown in the next image. Click to Add Diagnostic Setting.

Add a Diagnostic Setting

As shown in the next image, there are several logs that are maintained by AKS. I’m still working to determine which are valuable and which are not, so I have all selected for now (including Metrics).

On the right-hand side of the new Diagnostic Setting, send the logs to your Azure Sentinel Log Analytics Workspace.

Select logs and send to your Azure Sentinel LAW

Save the new Diagnostic Setting.

Once the data starts flowing, you’ll see the following log files in Azure Sentinel…

Kube logs

Curious about what columns are available to query against? Use the getschema KQL operator.

Example:

KubeEvents
| getschema
KQL getschema

Additionally, there’s a How to query logs from Azure Monitor for containers on our Docs site that has some sample KQL queries.

Happy testing!

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors