From b05398ed562b0de48765b9f32718087e8e41effe Mon Sep 17 00:00:00 2001
From: alonalcide <61546558+alonalcide@users.noreply.github.com>
Date: Thu, 19 Mar 2020 01:16:14 +0200
Subject: [PATCH] Added DataConnector (alcide_kaudit.json) and Alcide logo
 (#510)

* Added DataConnector (alcide_kaudit.json) and Alcide logo

* Sample data files

Added 4 sample data files.

* Replaced fixed sample data files

* Create .DS_Store

* Update alcide_kaudit_activity_1_CL.json

* Update alcide_kaudit.json

* Delete .DS_Store

* Update alcide_kaudit.json

* Update alcide_kaudit.json
---
 DataConnectors/alcide_kaudit.json             |  97 ++++
 ..._logo_06_080318_export_vertical copy 2.png | Bin 0 -> 2182 bytes
 Sample Data/alcide_kaudit_activity_1_CL.json  | 384 +++++++++++++++
 .../alcide_kaudit_detections_1_CL.json        | 237 ++++++++++
 .../alcide_kaudit_selections_count_1_CL.json  |  35 ++
 ...alcide_kaudit_selections_details_1_CL.json | 436 ++++++++++++++++++
 6 files changed, 1189 insertions(+)
 create mode 100644 DataConnectors/alcide_kaudit.json
 create mode 100644 Logos/alcide_logo_06_080318_export_vertical copy 2.png
 create mode 100644 Sample Data/alcide_kaudit_activity_1_CL.json
 create mode 100644 Sample Data/alcide_kaudit_detections_1_CL.json
 create mode 100644 Sample Data/alcide_kaudit_selections_count_1_CL.json
 create mode 100644 Sample Data/alcide_kaudit_selections_details_1_CL.json

diff --git a/DataConnectors/alcide_kaudit.json b/DataConnectors/alcide_kaudit.json
new file mode 100644
index 0000000000..52a8190a64
--- /dev/null
+++ b/DataConnectors/alcide_kaudit.json
@@ -0,0 +1,97 @@
+{
+  "id": "Alcide_kAudit",
+  "title": "Alcide kAudit",
+  "publisher": "Alcide",
+  "descriptionMarkdown": "Alcide kAudit connector allows you to automatically export your Kubernetes cluster audit logs into Azure Sentinel in real-time. This enables enhanced visibility and observability into your Kubernetes audit logs, providing robust security and monitoring capabilities for forensics purposes.",
+  "graphQueries": [
+      {
+          "metricName": "Anomalies and Incidents - All Data",
+          "legend": "alcide_kaudit_detections_1_CL",
+          "baseQuery": "alcide_kaudit_detections_1_CL"
+      }
+  ],
+  "sampleQueries": [
+      {
+          "description" : "All detections (anomalies and incidents) entries",
+          "query": "\nalcide_kaudit_detections_1_CL\n| sort by TimeGenerated\n"
+      },
+      {
+          "description" : "All audit activity for a Secret resource type, summarized count by resource namespace",
+          "query": "\nalcide_kaudit_activity_1_CL\n| where resource_type_s  == \"secrets\"\n| summarize count() by resource_namespace_s"
+      },
+      {
+          "description" : "Audit activity, summarized by principal, Type and Caller IP",
+          "query": "\nalcide_kaudit_selections_details_1_CL\n| summarize count() by principal_s, Type, caller_ip_s"
+      }
+  ],
+  "dataTypes": [
+      {
+          "name": "alcide_kaudit_activity_1_CL",
+          "lastDataReceivedQuery": "alcide_kaudit_activity_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+      },
+      {
+          "name": "alcide_kaudit_detections_1_CL",
+          "lastDataReceivedQuery": "alcide_kaudit_detections_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+      },
+      {
+          "name": "alcide_kaudit_selections_count_1_CL",
+          "lastDataReceivedQuery": "alcide_kaudit_selections_count_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+      },
+      {
+          "name": "alcide_kaudit_selections_details_1_CL",
+          "lastDataReceivedQuery": "alcide_kaudit_selections_details_1_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+      }
+  ],
+  "connectivityCriterias": [
+      {
+          "type": "IsConnectedQuery",
+          "value": [
+              "alcide_kaudit_activity_1_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+          ]
+      }
+  ],
+  "availability": {
+      "status": 1
+  },
+  "permissions": {
+      "resourceProvider": [
+          {
+              "provider": "Microsoft.OperationalInsights/workspaces",
+              "permissionsDisplayText": "read and write permissions are required.",
+              "providerDisplayName": "Workspace",
+              "scope": "Workspace",
+              "requiredPermissions": {
+                  "write": true,
+                  "read": true,
+                  "delete": true
+              }
+          }
+      ]
+  },
+  "instructionSteps": [
+      {
+          "title": "",
+          "description": "Follow the step-by-step instructions provided in the [Alcide kAudit Installation Guide](https://get.alcide.io/hubfs/Azure%20Sentinel%20Integration%20with%20kAudit.pdf)",
+          "instructions": [
+              {
+                  "parameters": {
+                      "fillWith": [
+                          "WorkspaceId"
+                      ],
+                      "label": "Workspace ID"
+                  },
+                  "type": "CopyableLabel"
+              },
+              {
+                  "parameters": {
+                      "fillWith": [
+                          "PrimaryKey"
+                      ],
+                      "label": "Primary Key"
+                  },
+                  "type": "CopyableLabel"
+              }
+          ]
+      }
+  ]
+}
diff --git a/Logos/alcide_logo_06_080318_export_vertical copy 2.png b/Logos/alcide_logo_06_080318_export_vertical copy 2.png
new file mode 100644
index 0000000000000000000000000000000000000000..a7aa822c723c83ffaf1255af83a10a361b6f26ed
GIT binary patch
literal 2182
zcmV;12zmF3P)<h;3K|Lk000e1NJLTq002k;002k`1^@s7BI<+D0000PbVXQnQ*UN;
zcVTj606}DLVr3vnZDD6+Qe|Oed2z{QJOBU)C`m*?RCwBAU?2+^KKc*Fcokq{V+a~P
zIuFDG$YP90oDU4=<pi;4{J@CQIuJN7$4Hj1_9L<Tk;RyB_{acR3?P88nP`A6#Du2c
zJjl85Aiz*$_$UEv4a7(9v0H%%%>UTkg6jD9=;DlceL-$uHh_JF7Lc&ObbwoRUhV_f
zhscfxVt@c5#)k7y#RlZ2;`u1H5wMvNivbQmazD;cLU@r8yFrj>e~+OE;R@6YfMy`R
zOwb5a)PTiB_kpAWl(zt=CK1G7!5iU_sB=IwT#?v721Ts`7BK^ye6ZIbDStka*a09u
z2*mY3d;yyI4nXA`(A0tWj-be4LQ;ec5R-PmjsOTCIsziI03$&|h|I=J1Py^`UVyu#
z!)FjegCNwfL_&r!;xR-KXutz3rKkb^yoPFsAyDB3teF&2J_?}cJti!MBqAANfTi4o
zX%;{(beS+ToR?dG#J&J^9eNN1!VM$fHC$zp07?adqz0Sf_sBNk02oCKBi>Q~RL@af
zuTY-190-bGQG+dI@5drmPe=_Tyk!FkU`MDTM-0WF@IlQUpd_#!R=_c#B{F0i9l@Fr
zDSAJ&u!jZsdgM|Q-4=*TFm1=?B2Xo8A68WX1YpNnju3=_C}Fq@4LD;7lt2g20aT!N
zpcP09mS6?Y0WDC1C76U@eoL}JhLbyk2NLCxWZy@!(FV<DPxk1_B0mBd7W5$#re!BU
z%%?<AZQN}DVG0ID0)a3uck!478*D(Q6C{v2`0b(XL;&-Ntj%lC!IclUK?VXN3qVpJ
zA2gb_gdS>J1>OMPSUQ9Qvb>7mL!8!z*}>tMyYvj&re&LqJA<hpKT{{I7a+l1rB_R@
z7yZ#*`A$hc&xY|u^Ay>L2z_;>0NUtZJ2{(9B!?SvUbkvoRN^@s1yaW{Pq&WZQpcHp
zDNVvm6kh1*jl!8$B)NT4urdaNmWB%YFX*l$O}>J$f*jL5vt*P;n`3I!_-CpEr;Ld<
zDh56lvAq(R#GNvy6+9VpAHckZYo4B5pGFSKImgLy#$C}z0CuhDIAIuuI=&3R2w?-d
zLAn8K02_1zM(8mCY*02xHV7M(4af#<!8WliDHgUvf5;aHKJg;S*3*-7CH^9pDVYgO
z=g4gTNMZeA94@Ytc?f3)Gkt_S*+V!Ol2SawLq3=TP^uz5B_q7^1HfFjIi#fveLzka
zG6?4Q2V}(poE=brdgcNpvxC8l?OL}|89W5R@Xnf;h9T%7c=}?KBvaRXU8+YswGVl!
zU?>{nU|cW2P;#5iK%;0+0H_|GIvkTgNusl;f~~I#3D(MNkhLd-eRg07A@EroUm#E+
z>^Y&(B+Li<P0#(*Qz0Jv7)|^E6h}S#M82!Wb7%rpOm{3>>=*wfiU$oCPn;8hkf~54
zQ4Aq=&OxVk(~<;1)xQT%YD_(gd3vG7F@3J$8Vl^K!_3ORB6E_8d()}(r1qsnydHhW
zp-x`Mv{N!5HOvhVTF0`J(kNEQ&Pv`@C2}GkfVM+XTBQjY{!;_RZ1`@)r~<b}Kmx`G
z)iH`+w^skPL<+PG@QY|Pj~3W#BT$#1*x5H+Xv%?k&TSHHQcv65c~NOflt{V8;~!Ia
zZJX{+Yv`mNF0HK@2|cq)NLa|SS)pA{hN14<d@jW>O1>~WWA4pdtT*0jnGajn5jJ~a
zWI?l5t(!}P7jH&F@P=&dcR<+Gx)Z66sQ+xee7h09Ujf>=!s~=VAPhbSNGE7EsBVB0
z)D5f?XeMZ#z;*(4f~FIg4a^2Qf+MuZ<%N(-fFvZ?=e_4Ifd?OV$KCOfAxH*w+k2E2
znffp->H#p-S7{yqMF$4vNc8syg91f81_pD0v&Na~T>ymLkJ(GFK#h6=W(P-B9XNaG
zoZZy4%Z}00{c8|@Gm8PUbkg5jfXpfq=B6?rP}FN+%Hx}GPMWiKoB`w-m}aM-_BzEq
zKzZ~Vw2ouM!nd$+J&-*CMLhuqTWD$sRCjY}4NyP85TAgegV?<&xSfce@-HvU>{_K`
zpy;4>u3t>^JglRGgSJcyE@=IwJy6{wsA7Z5m&O=S6-)@)fx2drfF@m90!3N@Bg}Ve
znDc2j!o~-2jbau)gI9Pzdr2yVIlUWbigipz8%&0QZHJaUxrT8nW!&O&Jpj#kZBP}s
zf`-R^28v7y?tBz(?vX7hZgMfPyPOlUvN*oGmd;Jvb-9CU)&k5SbO1(tGh2sLfFWzr
zA%LcH{0R|Ex0F2OArJX)(%uK*UzYgjaJ>8>P#^sj89j8QUdBiqvyhJDoFG}IPV6mM
zoebimITG?83U3rmcUy!I6NtG|tD{~pb{5EdVpwldG_ht6FlRt)sWvhF%hPg3U1uWZ
zwVt4&zs<!ZaHvG53G!!li8muScU-qiI|Q7iH11Ri_9CJZzwlkhifkL0W2S{cjc=MO
zz|q35_zsYBy1vH<qLHHVT-~0`KDtzpHw2u$G;T_;=bhEE($sL0+uX|<n3=d5kTQcc
z%`xKSvm<}^;vm(qNm{XzhjxrHsHSWRYpAb8Ffb$a)aWWvKVq>4Gugnz)EDkC$ytJ!
z9F+D99^XWuJrkHG_O+hNU)#N+)e|C~&c;&elewEKjQPbWZxJce+yYqKu^~7aLvgC?
zQV8Q>#kZf@lL#L#o99_s9M*q{_|tFcS?^f^_m%|Hih@*F$e6_rFvJI3LEA#b`6U&}
z=^Qy>5~ZCw-UYo7$lqh+8p!=xo&@Knh$XtBKO@CDc%rub1!Mg?0>yBX{r~^~07*qo
IM6N<$f;aBXjsO4v

literal 0
HcmV?d00001

diff --git a/Sample Data/alcide_kaudit_activity_1_CL.json b/Sample Data/alcide_kaudit_activity_1_CL.json
new file mode 100644
index 0000000000..3b6864d534
--- /dev/null
+++ b/Sample Data/alcide_kaudit_activity_1_CL.json	
@@ -0,0 +1,384 @@
+[{"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "ua_linux": "amd6",
+  "uri": "/apis/scheduling.k8s.io/v1?timeout=32s",
+  "verb": "get",
+  "id": "b9412f02-91d1-46b4-8f2c-9628b9001a11",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660021,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
+ {"principal": "system:node:ip-192-168-215-208.us-west-2.compute.internal",
+  "caller_ip_asn": "AMAZON-02",
+  "user_id": "heptio-authenticator-aws:111111111111:AROA5AHBLVHAHGZPH4LJX",
+  "cluster": "aks-test",
+  "username": "system:node:ip-192-168-215-208.us-west-2.compute.internal",
+  "ua_linux": "amd6",
+  "uri": "/apis/storage.k8s.io/v1beta1/csidrivers?resourceVersion=1222086&timeout=9m7s&timeoutSeconds=547&watch=true",
+  "api_group": "storage.k8s.io",
+  "verb": "watch",
+  "api_version": "v1beta1",
+  "id": "7a4ebd7a-f3b4-4194-b8f2-885432a1029f",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "time": 1583076660063,
+  "resource_type": "csidrivers",
+  "ua_kubelet": "v1.14.8",
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:bootstrappers; system:nodes",
+  "caller_ip": "35.160.67.136",
+  "caller_ip_country": "US",
+  "non_authorized": false,
+  "resource_name": "csidrivers",
+  "original_user_agent": "kubelet/v1.14.8 (linux/amd64) kubernetes/b8860f6"},
+ {"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "ua_linux": "amd6",
+  "uri": "/apis/scheduling.k8s.io/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "e76ce955-1869-4e86-9fd8-14eca13c7469",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660071,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
+ {"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "ua_linux": "amd6",
+  "uri": "/apis/coordination.k8s.io/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "17923faa-0cdc-4cf1-af08-fd734315ddeb",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660121,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
+ {"principal": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "user_id": "f1f2f48d-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:generic-garbage-collector",
+  "ua_linux": "amd6",
+  "uri": "/apis/node.k8s.io/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "29ef7a96-08c5-4dd2-b154-778b2d779d92",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660171,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:generic-garbage-collector"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis?timeout=32s",
+  "verb": "get",
+  "id": "371b3edc-c130-4c54-b204-363b872473b8",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660363,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/api?timeout=32s",
+  "verb": "get",
+  "id": "e11e50e5-381c-4953-bfcf-f247670a5f46",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660363,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/crd.k8s.amazonaws.com/v1alpha1?timeout=32s",
+  "verb": "get",
+  "id": "872745fb-eca2-4b5d-9dd4-63ca2dd7e6f7",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660364,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/authorization.k8s.io/v1?timeout=32s",
+  "verb": "get",
+  "id": "46f014c4-79ec-42a7-9794-9ccfa34338a8",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660365,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/policy/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "85188a2c-a632-4e4d-bfef-7e9476a9d510",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660365,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/api/v1?timeout=32s",
+  "verb": "get",
+  "id": "c20bb74a-1017-4fd8-a60d-aba5d84facdd",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660365,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/autoscaling/v2beta1?timeout=32s",
+  "verb": "get",
+  "id": "5e707d6b-b219-4668-a46f-d75727b43c42",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660366,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/apiregistration.k8s.io/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "61a4cd02-8716-4deb-9494-44fbc7a58bb9",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660366,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/authentication.k8s.io/v1?timeout=32s",
+  "verb": "get",
+  "id": "a2a39aae-df26-4b81-8711-caadf749104c",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660366,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/authentication.k8s.io/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "aa334163-141d-4708-a8b9-c740a856067d",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660366,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/apiregistration.k8s.io/v1?timeout=32s",
+  "verb": "get",
+  "id": "faef4f40-a520-44b8-9b50-ea44634cf4d8",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660366,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/storage.k8s.io/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "0f0ab786-8c50-4a63-b76b-73b6b83131c4",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660367,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/storage.k8s.io/v1?timeout=32s",
+  "verb": "get",
+  "id": "1b80c99b-776e-408e-bfb8-7704fa35a7c4",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660367,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/batch/v1?timeout=32s",
+  "verb": "get",
+  "id": "46d509e8-5dea-41a5-883d-5f1712ae5440",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660367,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"},
+ {"principal": "system:serviceaccount:kube-system:resourcequota-controller",
+  "user_id": "f40b0751-562d-11ea-9f0c-064c9b19af08",
+  "cluster": "aks-test",
+  "username": "system:serviceaccount:kube-system:resourcequota-controller",
+  "ua_linux": "amd6",
+  "uri": "/apis/extensions/v1beta1?timeout=32s",
+  "verb": "get",
+  "id": "564b4c53-1af3-45cf-9c9a-de4024345531",
+  "timestamp": "2020-03-01T15:31:00+0000",
+  "status_code": 200,
+  "cluster_role": "system:discovery",
+  "ua_kube_controller_manager": "v1.14.9",
+  "time": 1583076660367,
+  "access_type": "read",
+  "user_groups": "system:authenticated; system:serviceaccounts; system:serviceaccounts:kube-system",
+  "caller_ip": "10.0.97.212",
+  "non_authorized": false,
+  "resource_name": "",
+  "original_user_agent": "kube-controller-manager/v1.14.9 (linux/amd64) kubernetes/502bfb3/system:serviceaccount:kube-system:resourcequota-controller"}]
diff --git a/Sample Data/alcide_kaudit_detections_1_CL.json b/Sample Data/alcide_kaudit_detections_1_CL.json
new file mode 100644
index 0000000000..a13195bb70
--- /dev/null
+++ b/Sample Data/alcide_kaudit_detections_1_CL.json	
@@ -0,0 +1,237 @@
+[{"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in remote commands",
+  "cluster": "aks-test",
+  "context_subresource_exec_command": "ls /home",
+  "reasons_0_values_high": "1",
+  "timestamp": "2020-03-01T14:36:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583073360000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unique remote commands in access attempts",
+  "reasons_0_doc": "change in count of unique remote commands in write access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in remote commands",
+  "cluster": "aks-test",
+  "context_subresource_exec_command": "ls /home",
+  "reasons_0_values_high": "1",
+  "timestamp": "2020-03-01T14:36:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583073360000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of remote commands in access attempts",
+  "reasons_0_doc": "change in count of remote commands in write access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in remote commands",
+  "cluster": "aks-test",
+  "context_subresource_exec_command": "cat /etc/passwd; ls; ls /bin; sh",
+  "reasons_0_values_high": "4",
+  "timestamp": "2020-03-01T15:12:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583075520000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unique remote commands in access attempts",
+  "reasons_0_doc": "change in count of unique remote commands in write access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in remote shells",
+  "cluster": "aks-test",
+  "reasons_0_values_high": "4",
+  "timestamp": "2020-03-01T15:12:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583075520000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unique remote shells",
+  "reasons_0_doc": "change in count of unique remote shells attempts on resources"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in remote commands",
+  "cluster": "aks-test",
+  "context_subresource_exec_command": "cat /etc/passwd; ls; ls /bin; sh",
+  "reasons_0_values_high": "6",
+  "timestamp": "2020-03-01T15:12:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583075520000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of remote commands in access attempts",
+  "reasons_0_doc": "change in count of remote commands in write access attempts"},
+ {"confidence": "high",
+  "etype": "cluster",
+  "short_doc": "change in remote shells",
+  "cluster": "aks-test",
+  "reasons_0_values_high": "4",
+  "timestamp": "2020-03-01T15:12:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583075520000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "cluster",
+  "doc": "unusual change in count of unique remote shells",
+  "reasons_0_doc": "change in count of unique remote shells attempts on resources"},
+ {"confidence": "high",
+  "etype": "cluster",
+  "short_doc": "change in remote commands",
+  "cluster": "aks-test",
+  "context_subresource_exec_command": "cat /etc/passwd; ls; ls /bin; sh",
+  "reasons_0_values_high": "4",
+  "timestamp": "2020-03-01T15:12:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583075520000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "cluster",
+  "doc": "unusual change in count of unique remote commands in access attempts",
+  "reasons_0_doc": "change in count of unique remote commands in write access attempts"},
+ {"confidence": "high",
+  "context_caller_supplied_user_agent": "test; test (compatible; +http://www.google.com/bot.html); test (iPhone; CPU iPhone OS 12_2 like Mac OS X) (KHTML, like Gecko)",
+  "etype": "principal",
+  "short_doc": "change in access tool",
+  "cluster": "aks-test",
+  "reasons_0_values_high": "3",
+  "timestamp": "2020-03-01T15:15:00+0000",
+  "reasons_0_direction": "read",
+  "direction": "read",
+  "reasons_0_period": 180000,
+  "time": 1583075700000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in tool used in access attempts",
+  "reasons_0_doc": "change in count of unique caller user-agents in read access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "context_unusual_uri": "/configs; /debug/pprof; /login/test; /secrets/admin",
+  "short_doc": "change in targets of access attempts",
+  "cluster": "aks-test",
+  "reasons_0_values_high": "4",
+  "timestamp": "2020-03-01T15:15:00+0000",
+  "reasons_0_direction": "read",
+  "direction": "read",
+  "reasons_0_period": 180000,
+  "time": 1583075700000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unique unusual URIs in access attempts",
+  "reasons_0_doc": "change in count of unique unusual URIs in read access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in status reason of access attempts",
+  "cluster": "aks-test",
+  "context_status_reason": "NotFound",
+  "reasons_0_values_high": "5",
+  "timestamp": "2020-03-01T15:15:00+0000",
+  "reasons_0_direction": "read",
+  "direction": "read",
+  "reasons_0_period": 180000,
+  "time": 1583075700000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unexpected status reason in access attempts",
+  "reasons_0_doc": "change in count of unexpected status reasons in read access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "context_unusual_uri": "/configs; /debug/pprof; /login/test; /secrets/admin",
+  "short_doc": "change in targets of access attempts",
+  "cluster": "aks-test",
+  "reasons_0_values_high": "5",
+  "timestamp": "2020-03-01T15:15:00+0000",
+  "reasons_0_direction": "read",
+  "direction": "read",
+  "reasons_0_period": 180000,
+  "time": 1583075700000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unusual URIs in access attempts",
+  "reasons_0_doc": "change in count of unusual URIs in read access attempts"},
+ {"confidence": "high",
+  "etype": "cluster",
+  "context_unusual_uri": "/configs; /debug/pprof; /login/test; /secrets/admin",
+  "short_doc": "change in targets of access attempts",
+  "cluster": "aks-test",
+  "reasons_0_values_high": "4",
+  "timestamp": "2020-03-01T15:15:00+0000",
+  "reasons_0_direction": "read",
+  "direction": "read",
+  "reasons_0_period": 180000,
+  "time": 1583075700000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "cluster",
+  "doc": "unusual change in count of unique unusual URIs in access attempts",
+  "reasons_0_doc": "change in count of unique unusual URIs in read access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in unauthorized access attempts",
+  "cluster": "aks-test",
+  "reasons_0_values_high": "6",
+  "timestamp": "2020-03-01T15:27:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583076420000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unauthorized access attempts",
+  "reasons_0_doc": "change in count of unauthorized write access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in status reason of access attempts",
+  "cluster": "aks-test",
+  "context_status_reason": "Forbidden; NotFound",
+  "reasons_0_values_high": "9",
+  "timestamp": "2020-03-01T15:27:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583076420000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "kubernetes-admin",
+  "doc": "unusual change in count of unexpected status reason in access attempts",
+  "reasons_0_doc": "change in count of unexpected status reasons in write access attempts"},
+ {"confidence": "high",
+  "etype": "principal",
+  "short_doc": "change in status reason of access attempts",
+  "cluster": "aks-test",
+  "context_status_reason": "Forbidden",
+  "reasons_0_values_high": "4",
+  "timestamp": "2020-03-01T15:27:00+0000",
+  "reasons_0_direction": "write",
+  "direction": "write",
+  "reasons_0_period": 180000,
+  "time": 1583076420000,
+  "category": "anomaly",
+  "period": 180000,
+  "eid": "system:kube-controller-manager",
+  "doc": "unusual change in count of unexpected status reason in access attempts",
+  "reasons_0_doc": "change in count of unexpected status reasons in write access attempts"}]
diff --git a/Sample Data/alcide_kaudit_selections_count_1_CL.json b/Sample Data/alcide_kaudit_selections_count_1_CL.json
new file mode 100644
index 0000000000..11b948a74e
--- /dev/null
+++ b/Sample Data/alcide_kaudit_selections_count_1_CL.json	
@@ -0,0 +1,35 @@
+[{"cluster": "aks-test",
+  "principal": "kubernetes-admin",
+  "rule": "pod execution",
+  "resource_namespace": "kube-system",
+  "time": 1583076422347,
+  "timestamp": "2020-03-01T15:00:00+0000",
+  "count": 10,
+  "count-period": 3600000},
+ {"cluster": "aks-test",
+  "principal": "180.17.6.1",
+  "caller_ip": "180.17.6.1",
+  "caller_ip-country": "IL",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "rule": "pod execution",
+  "resource_namespace": "kube-system",
+  "time": 1583076422347,
+  "timestamp": "2020-03-01T16:00:00+0000",
+  "count": 1,
+  "count-period": 3600000},
+ {"cluster": "aks-test",
+  "principal": "kubernetes-admin",
+  "rule": "pod creation",
+  "resource_namespace": "kube-system",
+  "time": 1583076422347,
+  "timestamp": "2020-03-01T16:00:00+0000",
+  "count": 3,
+  "count-period": 3600000},
+ {"cluster": "aks-test",
+  "principal": "kubernetes-admin",
+  "rule": "secrets access",
+  "resource_namespace": "kube-system",
+  "time": 1583076422347,
+  "timestamp": "2020-03-01T18:00:00+0000",
+  "count": 3,
+  "count-period": 3600000}]
\ No newline at end of file
diff --git a/Sample Data/alcide_kaudit_selections_details_1_CL.json b/Sample Data/alcide_kaudit_selections_details_1_CL.json
new file mode 100644
index 0000000000..be0cf29d9e
--- /dev/null
+++ b/Sample Data/alcide_kaudit_selections_details_1_CL.json	
@@ -0,0 +1,436 @@
+[{"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "kube-proxy",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=ls&command=%2Fbin&container=kube-proxy&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "3cf94957-7435-40a9-98ad-399482337379",
+  "timestamp": "2020-03-01T15:09:03+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls /bin",
+  "subresource": "exec",
+  "time": 1583075343771,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "ua_kubectl": "v1.14.10",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/kube-proxy-ttffx",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "kube-proxy",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stdin": "true",
+  "subresource_exec_tty": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=sh&container=kube-proxy&stdin=true&stdout=true&tty=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "42498a0d-7a75-4a43-8c4d-1f4a724d5fa9",
+  "timestamp": "2020-03-01T15:09:09+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "sh",
+  "subresource": "exec",
+  "time": 1583075349980,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "ua_kubectl": "v1.14.10",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/kube-proxy-ttffx",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "kube-proxy",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-wtq8x/exec?command=cat&command=%2Fetc%2Fpasswd&container=kube-proxy&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "7cfd1bf1-cf75-4711-b62d-712a5f7670eb",
+  "timestamp": "2020-03-01T15:09:25+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "cat /etc/passwd",
+  "subresource": "exec",
+  "time": 1583075365850,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "ua_kubectl": "v1.14.10",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/kube-proxy-wtq8x",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "kube-proxy",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=ls&command=%2Fbin&container=kube-proxy&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "45935bdd-8cfe-4872-a66f-c9578c27591c",
+  "timestamp": "2020-03-01T15:10:17+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls /bin",
+  "subresource": "exec",
+  "time": 1583075417171,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "ua_kubectl": "v1.14.10",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/kube-proxy-ttffx",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "kube-proxy",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-kzzc5/exec?command=ls&container=kube-proxy&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "5a4c2f26-345d-44e2-9f52-a462aaf34a5a",
+  "timestamp": "2020-03-01T15:11:53+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583075513549,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/kube-proxy-kzzc5",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "coredns",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/coredns-84549585c-zsv9t/exec?command=ls&container=coredns&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "ab6eba8e-9e9b-490c-b72e-f53875b98264",
+  "timestamp": "2020-03-01T15:11:57+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583075517401,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/coredns-84549585c-zsv9t",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "aws-node",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/aws-node-9dxs2/exec?command=ls&container=aws-node&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "5bf2ff16-7170-401b-a4c8-9679e9c3a8ab",
+  "timestamp": "2020-03-01T15:12:01+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583075521306,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/aws-node-9dxs2",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "coredns",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/coredns-84549585c-zsv9t/exec?command=ls&container=coredns&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "91621b35-d919-47cb-97c6-1b9194735047",
+  "timestamp": "2020-03-01T15:12:05+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583075525265,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/coredns-84549585c-zsv9t",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "aws-node",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/aws-node-xnslz/exec?command=ls&container=aws-node&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "a9f7ad8d-5699-46c1-8af9-539d8eb085a8",
+  "timestamp": "2020-03-01T15:12:09+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583075529184,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/aws-node-xnslz",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "coredns",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/coredns-84549585c-zsv9t/exec?command=ls&container=coredns&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "ef9d851a-8280-4a60-8f40-44f88538966e",
+  "timestamp": "2020-03-01T15:27:02+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583076422347,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/coredns-84549585c-zsv9t",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "aws-node",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/aws-node-9dxs2/exec?command=ls&container=aws-node&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "5ce9e69a-ad40-4794-ac56-cc7fe0b4b752",
+  "timestamp": "2020-03-01T15:27:06+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583076426279,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/aws-node-9dxs2",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "aws-node",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/aws-node-n7tw4/exec?command=ls&container=aws-node&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "dced3d99-909d-48a8-b52b-90e959b80f42",
+  "timestamp": "2020-03-01T15:27:10+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583076430125,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/aws-node-n7tw4",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "aws-node",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/aws-node-7d5tn/exec?command=ls&container=aws-node&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "43cee327-a785-4dd1-9017-6bba6953f124",
+  "timestamp": "2020-03-01T15:27:14+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583076434100,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/aws-node-7d5tn",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "aws-node",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/aws-node-xnslz/exec?command=ls&container=aws-node&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "3391d6c1-106f-4acf-b298-0ca9fad13b9e",
+  "timestamp": "2020-03-01T15:27:18+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls",
+  "subresource": "exec",
+  "ua_kubectl_exe": "v1.14.10",
+  "time": 1583076438039,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/aws-node-xnslz",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl.exe/v1.14.10 (windows/amd64) kubernetes/f5757a1"},
+ {"principal": "kubernetes-admin",
+  "caller_ip_asn": "Partner Communications Ltd.",
+  "subresource_exec_container": "kube-proxy",
+  "user_id": "heptio-authenticator-aws:111111111111:AIDAIANUOR22TDHE5UU66",
+  "rule": "pod execution",
+  "cluster": "aks-test",
+  "subresource_exec_stderr": "true",
+  "username": "kubernetes-admin",
+  "uri": "/api/v1/namespaces/kube-system/pods/kube-proxy-ttffx/exec?command=ls&command=%2Fbin&container=kube-proxy&stderr=true&stdout=true",
+  "verb": "create",
+  "api_version": "v1",
+  "resource_namespace": "kube-system",
+  "id": "aeadbc36-0d27-4431-9b2f-72860ed1d413",
+  "timestamp": "2020-03-01T15:38:12+0000",
+  "subresource_exec_stdout": "true",
+  "status_code": 101,
+  "subresource_exec_command": "ls /bin",
+  "subresource": "exec",
+  "time": 1583077092076,
+  "resource_type": "pods",
+  "access_type": "write",
+  "user_groups": "system:authenticated; system:masters",
+  "ua_kubectl": "v1.14.10",
+  "caller_ip": "77.125.20.90",
+  "caller_ip_country": "IL",
+  "non_authorized": false,
+  "resource_name": "kube-system/pods/kube-proxy-ttffx",
+  "ua_windows": "amd6",
+  "original_user_agent": "kubectl/v1.14.10 (windows/amd64) kubernetes/f5757a1"}]