How to demonstrate the new containers features in Microsoft Defender for Cloud
To address the evolving security challenges surrounding container solutions our team recently announced Microsoft Defender for Containers – a new cloud workload protection plan designed around the unique needs of container-based solutions including Azure Kubernetes Service, Amazon EKS, Google GKE and on-prem environments. It is part of Microsoft Defender for Cloud. It merges two previous legacy plans which we had, namely Microsoft Defender for Kubernetes and Microsoft Defender for Container registries. It doesn’t remove any functionalities which were present in these legacy plans, it does however add new set of critical features on top of it, like threat protection on the Worker Node level for VMSS nodes. Other critical capabilities include Advanced Threat Protection, VA, Hardening Controls, Multi-Cloud Support and Kubernetes-Native Deployment.
You can learn more about these capabilities reading the following articles:
On this blog post we will focus on how to simulate alerts that are part of the AKS advanced threat Detection.
Simulate AKS alert on Microsoft Defender for Cloud
To simulate AKS alert on a cluster that is protected under Microsoft Defender for Cloud follow the following steps:
Validate that your Microsoft Defender for Containers plan pricing tier is enabled. If it is not, make sure to enabled it.
2. From Azure CLI login to the AKS subscription by running the above commands:
az account set --subscription "MyAzureSubName"
3. Download AKS tools for Azure CLI and add a local path:
az aks install-cli
$env:path += 'C:\Users\User\.azure-kubectl'
4. Run the alert simulation command below:
kubectl get pods --namespace=asc-alerttest-662jfi039n
You may see an output like the one below:
Wait approximately 30 minutes and open Microsoft Defender for Cloud alert blade:
In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:
Once you see it, click on it until you see the full details, as shown below:
The full list of available threat detection alerts can be found here.
Simulate scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its recommendation in Microsoft Defender for Cloud.
When Defender for Containers is enabled, any image you push to your registry will be scanned immediately. In addition, any image pulled within the last 30 days is also scanned.
Key notes about this feature are:
When the scanner reports vulnerabilities to Defender for Cloud, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more.
You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.
To simulate this, the first step is to install Docker desktop.
Select Create a resource > Containers > Container Registry.
In the Basics tab, enter values for Resource group and Registry name. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. For this quickstart create a new resource group in the West US location named myResourceGroup, and for SKU, select 'Basic'.
Accept default values for the remaining settings. Then select Review + create. After reviewing the settings, select Create.
When the Deployment succeeded message appears, select the container registry in the portal.
copy the Login server URL
4. Open PowerShell and run (where the name is the ACR name that you created) the command below: