To address the evolving security challenges surrounding container solutions our team recently announced Microsoft Defender for Containers – a new cloud workload protection plan designed around the unique needs of container-based solutions including Azure Kubernetes Service, Amazon EKS, Google GKE and on-prem environments. It is part of Microsoft Defender for Cloud.
It merges two previous legacy plans which we had, namely Microsoft Defender for Kubernetes and Microsoft Defender for Container registries. It doesn’t remove any functionalities which were present in these legacy plans, it does however add new set of critical features on top of it, like threat protection on the Worker Node level for VMSS nodes.
Other critical capabilities include Advanced Threat Protection, VA, Hardening Controls, Multi-Cloud Support and Kubernetes-Native Deployment.
You can learn more about these capabilities reading the following articles:
Microsoft launches dedicated Container protection plan
On this blog post we will focus on how to simulate alerts that are part of the AKS advanced threat Detection.
Simulate AKS alert on Microsoft Defender for Cloud
To simulate AKS alert on a cluster that is protected under Microsoft Defender for Cloud follow the following steps:
2. From Azure CLI login to the AKS subscription by running the above commands:
az login
az account set --subscription "MyAzureSubName"
3. Download AKS tools for Azure CLI and add a local path:
az aks install-cli
$env:path += 'C:\Users\User\.azure-kubectl'
4. Run the alert simulation command below:
kubectl get pods --namespace=asc-alerttest-662jfi039n
You may see an output like the one below:
Wait approximately 30 minutes and open Microsoft Defender for Cloud alert blade:
In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:
Once you see it, click on it until you see the full details, as shown below:
The full list of available threat detection alerts can be found here.
When Defender for Containers is enabled, any image you push to your registry will be scanned immediately. In addition, any image pulled within the last 30 days is also scanned.
Key notes about this feature are:
When the scanner reports vulnerabilities to Defender for Cloud, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more.
You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.
To simulate this, the first step is to install Docker desktop.
Follow the steps below to do that:
docker version
You may see an output like the one below:
Follow the steps below to do that and continue the validation:
Select Create a resource > Containers > Container Registry.
In the Basics tab, enter values for Resource group and Registry name. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. For this quickstart create a new resource group in the West US location named myResourceGroup, and for SKU, select 'Basic'.
4. Open PowerShell and run (where the name is the ACR name that you created) the command below:
az acr login --name secteach365
You may see an output like the one below:
5. Download vulnerable image from docker hub https://hub.docker.com/r/vulnerables/web-dvwa/,
by running the command below:
docker pull vulnerables/web-dvwa
A sample of the output is shown below:
6. Check the image on your local repository by running the command below:
Docker images vulnerables/web-dvwa
A sample of the output is shown below:
7. In this step we need to tag our image with the ACR Login URL that we copied in steps Execute the following command:
Docker tag vulnerables/web-dvwa:latest secteach365.azurecr.io/vulnerables/web-dvwa:v1
8. Check again the image on your local repository by running the command below:
Docker images secteach365.azurecr.io/vulnerables/web-dvwa
9. Run docker push to upload the new image to the azure repository and generate image scan (it can take some time), using the command below:
docker push secteach365.azurecr.io/vulnerables/web-dvwa:v1
Once done check on your ACR repository and validate that you have a new repository with a new image.
Drill down to the recommendation and review image and the set of vulnerabilities that Microsoft Defender for Cloud has discovered.
In this blogpost, we provided details on the options to simulate alerts that are part of the AKS threat Detection and the image scanning (ACR) recommendation.
For more information on how Microsoft Defender for Cloud visit our documentation below: Microsoft Defender for Cloud documentation | Microsoft Docs
Special thanks to @mahersko, @Yuri Diogenes for reviewing this article.
This article was originally wrote for Azure Security Center by Yaniv Shasha, you can find the original post here : How to demonstrate the new containers features in Azure Security Center - Microsoft Tech Community
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.