Configure SIEM alerts for usage of Kubernetes local service accounts

Azure Kubernetes Service (AKS) is an open-source fully managed container (packaged application) orchestration service available on Microsoft Azure public cloud and is used to deploy, scale and manage containers and container-based applications in a cluster environment.

By default, when you create a Kubernetes cluster, access to the cluster is through a local admin account. This is not desirable for security reasons as anyone can use a local account. It is also harder to trace back the audit events that used local…