Forum Discussion
AKS Sentinel analytics rules
Hey Tobias_Moe
Best way to go here is use Defender Plans - Containers
Streaming logs into Sentinel especially from an AKS cluster can be costly and the Defender Plan is a much cheaper approach especially if you are running a large cluster instance
Defender for Cloud will automatically generate any security alerts based on MITRE ATT&CK that can be streamed into Sentinel without the hassle of creating use-cases for monitoring an AKS using logs only. Most of the logs will be useless to you.
But in saying this if there is a requirement to stream logs from an AKS into Sentinel, check out this the containers MITRE ATT&CK Framework for alerting that could be created https://attack.mitre.org/matrices/enterprise/containers/
This should give you some good ideas
Hey Tobias_Moe
Best way to go here is use Defender Plans - Containers
Streaming logs into Sentinel especially from an AKS cluster can be costly and the Defender Plan is a much cheaper approach especially if you are running a large cluster instance
Defender for Cloud will automatically generate any security alerts based on MITRE ATT&CK that can be streamed into Sentinel without the hassle of creating use-cases for monitoring an AKS using logs only. Most of the logs will be useless to you.
But in saying this if there is a requirement to stream logs from an AKS into Sentinel, check out this the containers MITRE ATT&CK Framework for alerting that could be created https://attack.mitre.org/matrices/enterprise/containers/
This should give you some good ideas