Introduction
In this article, I continue the Microsoft Defender for Cloud PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the Microsoft Defender for Kubernetes plan. For a more holistic approach that involves validating Microsoft Defender for Cloud, check out How to Effectively Perform a Microsoft Defender for Cloud PoC.
Planning
As part of this PoC, it is important to understand that Microsoft Defender for Kubernetes provides threat detection and protection at the cluster level through continuously monitoring your cluster’ logs. This will include different security events such as exposed Kubernetes dashboards and the creation of high privileged roles. For AKS clusters, there are no provisioning actions required aside from enabling Microsoft Defender for Cloud due to Defender for Cloud being integrated into AKS through the Azure backbone.
Microsoft Defender for Kubernetes will also protect your Kubernetes clusters wherever they are running, including on premise or multi-cloud clusters. For multi-cloud and on-premises clusters, you will need to connect your Kubernetes cluster to Azure Arc, then deploy the Microsoft Defender for Kubernetes extension. For a comprehensive understanding of how to deploy the extension, visit the following resources:
- Overview of Azure Arc enabled Kubernetes - Azure Arc | Microsoft Docs.
- Quickstart: Connect an existing Kubernetes cluster to Azure Arc - Azure Arc | Microsoft Docs
- Protect hybrid and multi-cloud Kubernetes deployments with Microsoft Defender for Kubernetes | Microsoft Docs
If this is your first-time enabling Defender for Clud, try it out for free for 30 days while you execute your PoC. During this time, you can decide if you want to keep this plan and if you choose otherwise, be sure to disable it at the end of the free trial to avoid charges. For more pricing information, please visit: Pricing—Microsoft Defender for Cloud | Microsoft Azure.
Preparation
To enable Microsoft Defender for Kubernetes, you will need to have Security Admin role in the subscription where the plan will be enabled. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below.
Figure 1: Enable Azure Defender for Kubernetes
Besides enabling, you can also use the Security Admin role to dismiss potential alerts, however if you just need to reviewing findings, you can grant only Security Reader role to the user. When anomalous behavior occurs on your Kubernetes cluster, Microsoft Defender for Kubernetes will show alerts. To familiarize yourself with the alerts you may receive with this plan, review the Alerts Reference Guide.
To make sure you have a complete understanding of Microsoft Defender for Kubernetes, make sure to also check out these resources:
- Threat Matrix for Kubernetes | Azure Security Center in the Field #11 - YouTube
- Azure Arc and Microsoft Defender for Kubernetes | Azure Security Center in the Field #27 - YouTube
Implementation and Validation
Once enabled, you can check to see if Microsoft Defender is running properly by simulating an alert as instructed by the following resources:
- Alert validation in Microsoft Defender for Cloud | Microsoft Docs
- How to demonstrate the new containers features in Microsoft Defender for Cloud - Microsoft Tech Community
If you find alerts that are not relevant to your environment, you can either manually dismiss them or create suppression rules to automatically dismiss them in the future.
Conclusion
By the end of this PoC, you should be able to determine the value of Microsoft Defender for Kubernetes and the significance of this level of threat detection on your workloads.
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
Reviewers
YuriDiogenes , Principal Program Manager
mahersko , Senior Program Manager
Microsoft
