In this blog, I continue the Microsoft Defender PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the new Microsoft Defender for Containers plan. With the release of the new Microsoft Defender for Containers plan, we have merged the previous Microsoft Defender for Kubernetes and Microsoft Defender for Container Registries into one offering. Aside from combining the features of the two previous plans, this offering brings new and improved features including multi-cloud support and host level threat detection. For a more holistic approach on Microsoft Defender for Cloud as a whole, check out How to Effectively Perform a Microsoft Defender for Cloud PoC.
Defender for Containers protects your Kubernetes clusters in both Azure, Amazon Web Services (AWS), Google Cloud Project (GCP), as well as on-prem/IaaS. For Kubernetes clusters hosted outside of Azure, Azure Arc-enabled Kubernetes is required to connect the clusters to Azure and provide threat protection from Microsoft Defender for Containers. Once the Kubernetes cluster is connected to Azure, an Arc extension collects Kubernetes audit logs data. For clusters hosted in AWS or GCP, you’ll need to connect your AWS accounts to Microsoft Defender for Cloud or connect your GCP project to Microsoft Defender for Cloud. Defender for Containers also leverages a Kubernetes native agent, the Defender Profile, for run-time protection and collection of node signals.
The Defender for Containers plan also includes an integrated vulnerability scanner for scanning images in Azure Container Registries and Elastic Container Registries (AWS). T The results from the vulnerability assessment scanning are visible in the recommendations "Container images should have vulnerability findings resolved" and "Elastic container registry images should have vulnerability findings resolved". With the addition of the Defender Profile, customers using Azure Kubernetes Service also have visibility into vulnerability assessments for running images. Before deploying Microsoft Defender for Containers, please be sure to check that your registries and images as well as Kubernetes distributions are supported by this plan.
At the time of publication, the current price of Microsoft Defender for Containers is $7 per vCore per month. This price includes 20 free scans per vCore where the count will be based on the previous month’s consumption.
You can enable Microsoft Defender for Containers on the subscription level, with a 30-day free trial. Keeping that in mind, you should plan to execute your PoC prior to this expiration and, based on the results, decide to keep it enabled or not.
To enable Microsoft Defender for Containers, you will need the Security Admin role. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below.
Defender for Containers pricing
The Security Admin role is also needed to dismiss alerts and the Security Reader role is needed to view findings. To familiarize yourself with the alerts you may receive with this plan, review the Alerts Reference Guide.
To make sure you have a complete understanding of Microsoft Defender for Containers, please be sure to also check out the following resources:
Implementation and Validation
Once enabled, the vulnerability assessment scanner will automatically start scanning existing subscriptions for Azure Container Registries. After scanning the images, the recommendation “Container registry images should have vulnerability findings resolved” will appear to show all unhealthy registries with all unhealthy images in them. The “Affected Resources” tab shows you vulnerable container registries while the “Security Checks” tab shows you the vulnerabilities. Clicking on a specific “Security Check” will open a pane that gives you more information the security finding and how to remediate it. Vulnerabilities can be exported using Continuous Export or accessed via our Sub Assessments REST API.
Container registry scanning
You can also check to see if Microsoft Defender for Containers is running properly by simulating an alert.
If you find alerts that are not relevant to your environment, you can either manually dismiss them or create suppression rules to automatically dismiss them in the future.
By the end of this PoC, you should be able to determine the value of Microsoft Defender for Containers and the significance of this level of threat detection on your workloads.
Reviewers: Tom Janetscheck, Senior Program Manager