Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
AWS EKS audit logs, which ingested from Sentinel's connector, contain detailed information about API server requests, authentication decisions, and cluster activities from Amazon Elastic Kubernetes Service. These logs provide comprehensive security monitoring and compliance tracking for Kubernetes clusters.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time DCR support | No |
| Lake-only ingestion | Yes |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AuthDecision | string | The authorization decision made by the Kubernetes RBAC system (e.g., allow, forbid). |
| AwsAccountId | string | The AWS account ID where the EKS cluster is located. |
| _BilledSize | real | The record size in bytes |
| ClusterName | string | The name of the EKS cluster that generated the audit event. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| ObjectRef | string | Reference to the Kubernetes object that was accessed (namespace/resource/name). |
| RawEvent | dynamic | The complete raw EKS audit event data containing additional context and metadata. |
| Region | string | The AWS region where the EKS cluster is located. |
| ResponseCode | int | The HTTP response status code of the API request. |
| SourceIPs | dynamic | Array of source IP addresses from where the request originated. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Stage | string | The stage of request processing when the audit event was generated (e.g., RequestReceived, ResponseComplete). |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) when the EKS audit event was generated. |
| Type | string | The name of the table |
| User | string | The user or service account that performed the action. |
| UserAgent | string | The user agent string of the client that made the request. |
| Verb | string | The Kubernetes API verb (action) performed (e.g., get, create, update, delete). |