Unable to import Kubernetes Audit Logs from a Log Analytics Workspace to Prisma Cloud.

• Customer has enabled Kubernetes auditing in Prisma Cloud. They have completed all necessary configurations on both Azure and Prisma.

• Customer setup includes a Log Analytics workspace that successfully hosts AKS audit logs, and this workspace has been correctly configured in Prisma under the Kubernetes auditing section.

• They also set up a custom rule in Prisma to trigger alerts for "privileged pod creation."

• However, despite the creation of a privileged pod, no alerts are appearing under the Kubernetes auditing events. 

$ kubectl apply -f priv-pod.yaml

 

• Prisma Cloud Compute Edition
• Azure
• Kubernetes

This issue can be caused by the following:

• column log_s doesn't exist in the Log Analytics Workspace
• Incorrect Destination table set in Azure Diagnostic settings

• Please run the query below in Log Analytics workspace to check if the column log_s exists.

AzureDiagnostics
                    | project ResourceGroup, SubscriptionId, Resource, ResourceType, log_s, Category
                    | where ResourceType == "MANAGEDCLUSTERS" and Category == "kube-audit"
                    | where log_s has "ResponseComplete" and (log_s has "Request" or log_s has "RequestResponse")

• Expected output in Logs workspace below from the query above:

• Destination table should be set as Azure Diagnostics, not Resource specific, as shown on screenshot below.