{
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": { "type": "datasource", "uid": "grafana" },
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "description": "Kubernetes API server audit logs from Loki",
  "editable": true,
  "fiscalYearStartMonth": 0,
  "graphTooltip": 1,
  "id": 0,
  "links": [],
  "panels": [
    {
      "collapsed": false,
      "gridPos": { "h": 1, "w": 24, "x": 0, "y": 0 },
      "id": 100,
      "panels": [],
      "title": "Recent Activity",
      "type": "row"
    },
    {
      "datasource": { "type": "loki", "uid": "P8E80F9AEF21F6940" },
      "description": "Recent Kubernetes API actions from audit logs",
      "fieldConfig": {
        "defaults": {
          "color": { "mode": "thresholds" },
          "custom": {
            "align": "auto",
            "cellOptions": { "type": "auto" },
            "inspect": false
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [{ "color": "green", "value": null }]
          }
        },
        "overrides": []
      },
      "gridPos": { "h": 12, "w": 24, "x": 0, "y": 1 },
      "id": 1,
      "options": {
        "cellHeight": "sm",
        "footer": { "countRows": false, "fields": "", "reducer": ["sum"], "show": false },
        "showHeader": true,
        "sortBy": [{ "desc": true, "displayName": "Time" }]
      },
      "pluginVersion": "12.3.0",
      "targets": [
        {
          "datasource": { "type": "loki", "uid": "P8E80F9AEF21F6940" },
          "editorMode": "code",
          "expr": "{job=\"kubernetes-audit\"} | json | line_format \"{{.user.username}} {{.verb}} {{.objectRef.resource}} {{.objectRef.namespace}}\"",
          "legendFormat": "",
          "queryType": "range",
          "refId": "A"
        }
      ],
      "title": "Recent Actions",
      "type": "table"
    },
    {
      "collapsed": false,
      "gridPos": { "h": 1, "w": 24, "x": 0, "y": 13 },
      "id": 101,
      "panels": [],
      "title": "Request Rates",
      "type": "row"
    },
    {
      "datasource": { "type": "loki", "uid": "P8E80F9AEF21F6940" },
      "description": "API request count by user over time",
      "fieldConfig": {
        "defaults": {
          "color": { "mode": "palette-classic" },
          "custom": {
            "axisBorderShow": false,
            "axisCenteredZero": false,
            "axisColorMode": "text",
            "axisPlacement": "auto",
            "barAlignment": 0,
            "barWidthFactor": 0.6,
            "drawStyle": "line",
            "fillOpacity": 20,
            "gradientMode": "none",
            "hideFrom": { "legend": false, "tooltip": false, "viz": false },
            "insertNulls": false,
            "lineInterpolation": "smooth",
            "lineWidth": 2,
            "pointSize": 5,
            "scaleDistribution": { "type": "linear" },
            "showPoints": "never",
            "spanNulls": false,
            "stacking": { "group": "A", "mode": "none" },
            "thresholdsStyle": { "mode": "off" }
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [{ "color": "green", "value": null }]
          },
          "unit": "short"
        },
        "overrides": []
      },
      "gridPos": { "h": 10, "w": 24, "x": 0, "y": 14 },
      "id": 2,
      "options": {
        "legend": { "calcs": ["sum", "lastNotNull"], "displayMode": "table", "placement": "bottom", "showLegend": true },
        "tooltip": { "mode": "multi", "sort": "desc" }
      },
      "pluginVersion": "12.3.0",
      "targets": [
        {
          "datasource": { "type": "loki", "uid": "P8E80F9AEF21F6940" },
          "editorMode": "code",
          "expr": "sum by (user_username) (count_over_time({job=\"kubernetes-audit\"} | json [5m]))",
          "legendFormat": "{{user_username}}",
          "queryType": "range",
          "refId": "A"
        }
      ],
      "title": "Request Count by User",
      "type": "timeseries"
    },
    {
      "collapsed": false,
      "gridPos": { "h": 1, "w": 24, "x": 0, "y": 24 },
      "id": 102,
      "panels": [],
      "title": "Denied Requests",
      "type": "row"
    },
    {
      "datasource": { "type": "loki", "uid": "P8E80F9AEF21F6940" },
      "description": "API requests denied with HTTP 403+ status codes",
      "fieldConfig": {
        "defaults": {
          "color": { "mode": "thresholds" },
          "custom": {
            "align": "auto",
            "cellOptions": { "type": "auto" },
            "inspect": false
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              { "color": "green", "value": null },
              { "color": "red", "value": 403 }
            ]
          }
        },
        "overrides": []
      },
      "gridPos": { "h": 12, "w": 24, "x": 0, "y": 25 },
      "id": 3,
      "options": {
        "cellHeight": "sm",
        "footer": { "countRows": false, "fields": "", "reducer": ["sum"], "show": false },
        "showHeader": true,
        "sortBy": [{ "desc": true, "displayName": "Time" }]
      },
      "pluginVersion": "12.3.0",
      "targets": [
        {
          "datasource": { "type": "loki", "uid": "P8E80F9AEF21F6940" },
          "editorMode": "code",
          "expr": "{job=\"kubernetes-audit\"} | json | responseStatus_code >= 403",
          "legendFormat": "",
          "queryType": "range",
          "refId": "A"
        }
      ],
      "title": "Denied Requests (403+)",
      "type": "table"
    }
  ],
  "preload": false,
  "refresh": "30s",
  "schemaVersion": 42,
  "tags": ["kubernetes", "audit", "security"],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-24h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "Kubernetes Audit Logs",
  "uid": "k8s-audit",
  "version": 1
}