Azure Sentinel shows update events for AKS nodes. What to do?

%3CLINGO-SUB%20id%3D%22lingo-sub-1232596%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20shows%20update%20events%20for%20AKS%20nodes.%20What%20to%20do%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232596%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EContext%3C%2FSTRONG%3E%3A%3C%2FP%3E%3CUL%3E%3CLI%3EI%20have%20a%20number%20of%20AKS%20clusters%3C%2FLI%3E%3CLI%3EI%20have%20Azure%20Security%20Center%20in%20place%20which%20provisioned%20the%20OmsAgentForLinux%20extension%20to%20each%20of%20the%20cluster's%20nodes.%3C%2FLI%3E%3CLI%3EIn%20have%20Azure%20Sentinel%20in%20place%20which%20show%20various%20events%20for%20my%20subscription%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EQuestion%3C%2FSTRONG%3E%3A%3C%2FP%3E%3CUL%3E%3CLI%3EIn%20the%20Overview%20section%20of%20Sentinel%20I%20now%20see%20Update%20events%3A%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Schermafbeelding%202020-03-17%20om%2014.25.37.png%22%20style%3D%22width%3A%20691px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177392iA84971D88E3DB7B3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Schermafbeelding%202020-03-17%20om%2014.25.37.png%22%20alt%3D%22Schermafbeelding%202020-03-17%20om%2014.25.37.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EIf%20you%20click%20on%20the%20update%20events%20it%20then%20shows%20you%20a%20list%20of%20pending%20(%3F)%20updates%20for%20each%20VM%3A%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Schermafbeelding%202020-03-17%20om%2014.32.53.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177393iD195D9B216E5F1AB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Schermafbeelding%202020-03-17%20om%2014.32.53.png%22%20alt%3D%22Schermafbeelding%202020-03-17%20om%2014.32.53.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EAre%20these%20updates%20automatically%20installed%20as%20AKS%20is%20a%20managed%20cluster%3F%20If%20so%2C%20how%20can%20I%20tell%20that%20they%20have%20been%20successfully%20installed%3F%20If%20not%2C%20how%20to%20go%20about%20these%20updates%3F%3C%2FSTRONG%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1233318%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20shows%20update%20events%20for%20AKS%20nodes.%20What%20to%20do%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1233318%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584356%22%20target%3D%22_blank%22%3E%40L2v2P%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Update%20table%20is%20from%20the%20Update%20Management%20solution%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-update-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-update-management%3C%2FA%3E%26nbsp%3BSomeone%20must%20have%20onboarded%20you.%20See%20this%20link%20for%20scheduling%20etc...%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-tutorial-update-management%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-tutorial-update-management%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1234334%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20shows%20update%20events%20for%20AKS%20nodes.%20What%20to%20do%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1234334%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Clive.%20I'm%20100%25%20certain%20these%20update%20events%20started%20showing%20up%20after%20I%20enabled%20Azure%20Security%20Center.%20Enabling%20ASC%20installed%20the%26nbsp%3B%3CSPAN%3EOmsAgentForLinux%20VM%20extension%20which%20I%20can%20imagine%20also%20scans%20for%20missing%20updates.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20also%20found%20a%20part%20to%20my%20answer%20trough%20your%20link.%20The%20table%20below%20clearly%20shows%20that%20AKS%20is%20not%20supported.%20Following%20the%20link%20I%20read%3A%20%22%3CEM%3ETo%20protect%20your%20clusters%2C%20security%20updates%20are%20automatically%20applied%20to%20Linux%20nodes%20in%20AKS.%20These%20updates%20include%20OS%20security%20fixes%20or%20kernel%20updates.%3C%2FEM%3E%22%20So%2C%20based%20on%20this%2C%20I'm%20going%20to%20assume%20that%20all%20updates%20(that%20do%20not%20require%20a%20reboot)%20for%20which%20an%20event%20was%20generated%20will%20eventually%20be%20installed.%20Would%20you%20know%20if%20that%20assumption%20is%20correct%3F%20Thanks%20again.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Schermafbeelding%202020-03-18%20om%2007.30.35.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177723i770210200FA26E02%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Schermafbeelding%202020-03-18%20om%2007.30.35.png%22%20alt%3D%22Schermafbeelding%202020-03-18%20om%2007.30.35.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Context:

  • I have a number of AKS clusters
  • I have Azure Security Center in place which provisioned the OmsAgentForLinux extension to each of the cluster's nodes.
  • In have Azure Sentinel in place which show various events for my subscription

Question:

  • In the Overview section of Sentinel I now see Update events:
     

    Schermafbeelding 2020-03-17 om 14.25.37.png

 

  • If you click on the update events it then shows you a list of pending (?) updates for each VM:
     

    Schermafbeelding 2020-03-17 om 14.32.53.png

 

  • Are these updates automatically installed as AKS is a managed cluster? If so, how can I tell that they have been successfully installed? If not, how to go about these updates?
2 Replies
Highlighted

@L2v2P 

 

The Update table is from the Update Management solution https://docs.microsoft.com/en-us/azure/automation/automation-update-management Someone must have onboarded you. See this link for scheduling etc... https://docs.microsoft.com/en-us/azure/automation/automation-tutorial-update-management

 

 

Highlighted

@Clive Watson 

 

Thanks Clive. I'm 100% certain these update events started showing up after I enabled Azure Security Center. Enabling ASC installed the OmsAgentForLinux VM extension which I can imagine also scans for missing updates.

 

I've also found a part to my answer trough your link. The table below clearly shows that AKS is not supported. Following the link I read: "To protect your clusters, security updates are automatically applied to Linux nodes in AKS. These updates include OS security fixes or kernel updates." So, based on this, I'm going to assume that all updates (that do not require a reboot) for which an event was generated will eventually be installed. Would you know if that assumption is correct? Thanks again.

 

Schermafbeelding 2020-03-18 om 07.30.35.png