In this blog, I continue the Microsoft Defender PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the new Microsoft Defender for Containers plan. With the release of the new Microsoft Defender for Containers plan, we have merged the previous Microsoft for Kubernetes and Microsoft for Container Registries into one offering. Aside from combining the features of the two previous plans, this offering brings new and improved features including multi-cloud support and host level threat detection. For a more holistic approach on Microsoft Defender for Cloud as a whole, check out How to Effectively Perform a Microsoft Defender for Cloud PoC.
Defender for Containers protects your Kubernetes clusters in both Azure and AWS as well as on-prem/IaaS. For Kubernetes clusters hosted outside of Azure, Azure Arc-enabled Kubernetes is required to connect the clusters to Azure and provide threat protection from Microsoft Defender for Containers. Once the Kubernetes cluster is connected to Azure, an Arc extension collects Kubernetes audit logs data. For EKS-based clusters, you’ll need to connect your AWS accounts to Microsoft Defender for cloud. Run-time protection for Kubernetes nodes is also provided by the Defender for Containers plan, allowing you to quickly remediate security issues.
Another key part of this plan is vulnerability assessment scanning. The Defender for Containers plan includes an integrated vulnerability scanner for scanning images in Azure Container Registries. The scan includes a few triggers: push, pull, import and continuously when an image has recently been pulled (once a week for30 days). In addition to the vulnerability assessment, security recommendations are generated for images with vulnerabilities. Before deploying Microsoft Defender for Containers, please be sure to check that your registries and images as well as Kubernetes distributions are supported by this plan.
At the time of publication, the current price of Microsoft Defender for Containers is $7 per vCore per month. This price includes 20 free scans per vCore where the count will be based on the previous month’s consumption.
You can enable Microsoft Defender for Containers on the subscription level, with a 30-day free trial. Keeping that in mind, you should plan to execute your PoC prior to this expiration and, based on the results, decide to keep it enabled or not.
To enable Microsoft Defender for Containers, you will need the Security Admin role. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below.
Defender for Containers pricing
The Security Admin role is also needed to dismiss alerts and the Security Reader role is needed to view findings. To familiarize yourself with the alerts you may receive with this plan, review the Alerts Reference Guide.
To make sure you have a complete understanding of Microsoft Defender for Containers, please be sure to also check out the following resources:
Once enabled, the vulnerability assessment scanner will automatically start scanning existing subscriptions for Azure Container Registries. After scanning the images, the recommendation “Container registry images should have vulnerability findings resolved” will appear to show all unhealthy registries with all unhealthy images in them. The “Affected Resources” tab shows you vulnerable container registries while the “Security Checks” tab shows you the vulnerabilities. Clicking on a specific “Security Check” will open a pane that gives you more information the security finding and how to remediate it. Vulnerabilities can be exported using Continuous Export or accessed via our Sub Assessments REST API.
Container registry scanning
You can also check to see if Microsoft Defender for Containers is running properly by simulating an alert.