New Azure Kubernetes Service (AKS) Security Workbook
Published Nov 09 2020 06:35 AM 6,443 Views

Visibility to the activities in your Kubernetes clusters is a crucial part of keeping the clusters secured. With Azure Defender for AKS, you can monitor your AKS clusters and be alerted when suspicious and malicious activities in the clusters occur.

Now you can get even more insights about the security of your AKS clusters with the new workbook for Azure Kubernetes Service (AKS) security in Sentinel. The workbook helps you to get a better visibility to your cluster from security perspective. The workbook leverages Diagnostic Logs and Azure Defender security alerts for giving you insights about operations in the cluster that have security impact. This includes visibility to:

  • Creation of privileged containers.
  • operations on secrets in the cluster.
  • Cluster-admin bindings.
  • Images with multiple security alerts.



To get full benefit of the new workbook, enable kube-audit in the diagnostic settings of the AKS clusters and make sure that Azure Defender for Kubernetes is enabled and ingested to Azure Sentinel.

To enable Azure Defender for Kubernetes go to Azure Security Center --> Pricing & Settings --> Select the relevant subscription and make sure that Kubernetes plan is enabled:



To ingest the security alerts to Sentinel, go to Sentinel --> Data connectors --> Azure Security Center

asc sentinel connector.png


To enable Diagnostic logs for AKS go to your AKS cluster --> Diagnostic settings --> Add diagnostic setting --> select kube-audit logs and “Send to Log Analytics”:



The workbook was developed with the assistance of:

Hesham Saad - Senior Global Cybersecurity Technical Specialist, Global Black Belt
Yaniv Shasha - Senior Program Manager, C+AI Security
Hosam Kamel - Senior Azure Specialist

Version history
Last update:
‎Nov 09 2020 06:35 AM
Updated by: