Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.Introducing the new File Integrity Monitoring with Defender for Endpoint integration
As the final and most complex piece of this puzzle is the release of File Integrity Monitoring (FIM) powered by Defender for Endpoint, marks a significant milestone in the Defender for Servers simplification journey. The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance.Become a Microsoft Defender for Cloud Ninja
[Last update: 09/13/2024] This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate(Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 -AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Legend Product videos Webcast recordings Tech Community Docs on Microsoft Blogs on Microsoft GitHub External Interactive guides Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Microsoft Defender for Cloud Data Flow Common questions about Defender for Cloud Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Assigning Permissions in Microsoft Defender for Cloud Design Considerations for Log Analytics Workspace Microsoft Defender for CloudMonitoring Agent Deployment Options Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloudusing Management Groups Planning Data Collection for IaaS VMs Considerations for Multi-Tenant Scenario How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for CloudPoC Series – Microsoft Defender for Resource Manager Microsoft Defender for CloudPoC Series – Microsoft Defender for Storage Microsoft Defender for CloudPoC Series – Microsoft Defender for DNS Microsoft Defender for CloudPoC Series – Microsoft Defender for App Service Microsoft Defender for CloudPoC Series - Microsoft Defender for Container Registries Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Protect non-Azure resources using Azure Arc andMicrosoft Defender for Cloud Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture Azure Secure Score vs. Microsoft Secure Score How to calculate your secure score How Secure Score affects your governance Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Resource exemption Customizing Endpoint Protection Recommendation in Microsoft Defender for Cloud How to keep track of Resource Exemptions in Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for CloudRecommendations to Azure Resource Stakeholders Secure Score Over Time Reports Secure Score Reduction Alert Weekly Secure Score Progress Report Average Time taken to remediate resources Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Remediation Scripts Security Controls in Microsoft Defender for Cloud Enable MFA Restrict Unauthorized Network Access Secure Management Ports Secure management ports demo Apply adaptive application control Enable auditing and logging Enable auditing and logging demo Remediate security configurations Apply system updates Enable endpoint protection demo Encrypt data in transit Encrypt data at rest Protect Applications Against DDoS Attacks Implement security best practices Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Deployment Options Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Exporting Azure Container Registry Vulnerability Assessment in Microsoft Defender for Cloud Improvements in Continuous Export feature Implementing Workflow Automation Workflow Automation Artifacts Creating Custom Dashboard for Microsoft Defender for Cloud Using Microsoft Defender for Cloud API for Workflow Automation Understanding Network Map Using Adaptive Network Hardening Identify security vulnerabilities workloads managed by Microsoft Defender for Cloud What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis ServiceNow's integration now includes Configuration Compliance module(09/2024) Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Regulatory compliance dashboard Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Regulatory Compliance dashboard and security benchmark Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure(09/2024) Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access Automate JIT VM Access Deployment with PowerShell File Integrity Monitoring in Microsoft Defender Define known-safe applications using Adaptive Application Control Understanding Threat Protection in Microsoft Defender Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint(09/2024) Microsoft Defender for Network Layer Microsoft Defender for Containers January 2022 Updates for Defender for Containers Demystifying Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode(09/2024) Binary drift detection(09/2024) Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage Microsoft Defender for SQL Microsoft Defender for SQL and the Vulnerability Assessment (VA) New Defender for SQL VA Microsoft Defender for SQL Anywhere Validating Alerts on Microsoft Defender for SQL on machines New autoprovisioning process for SQL Server on machines plan Defender for Open-Source Relational Databases Multicloud(09/2024) Microsoft Defender for KeyVault Microsoft Defender for AppService How Microsoft Defender for App Service works Microsoft Defender for IoT Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Linux Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Investigating Microsoft Defender for Cloud alerts using Azure Sentinel Service Layer Protection - Microsoft Defender for Resource Manager and DNS Azure Arc and Azure Microsoft for Kubernetes Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Closing an Incident in Azure Sentinel and Dismissing an Alert in Microsoft Defender for Cloud Accessing Microsoft Defender for Cloud Alerts in Splunk using Graph Security API Integration Microsoft Sentinel bi-directional alert synchronization Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Obtaining Secure Score via REST API Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts. API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility Module 11 – AI Posture Management and Workload Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime(09/2024) Are you ready to take your knowledge check? If so, click here.If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Interactive Guide Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PM
Detect Container Drift with Microsoft Defender for Containers
Introduction In cloud-native Kubernetes environments, Containers are often treated as immutableresources, meaning they shouldn’t change after deployment. Immutable containers minimize the attack surface because they do not allow modifications during runtime. This limits the potential for attackers to make unauthorized changes, install malware, or create backdoors within a running container. Container drift refers to unintended or unauthorized manual changes, updates, patches, or other modifications made during its runtime. When containers drift, they may incorporate untested and unverified changes, such as software updates, configuration modifications, or new libraries. These changes can introduce new vulnerabilities that were not present in the original, vetted container image. Drift might introduce changes that grant elevated privileges to processes or users within the container, which can be exploited to gain broader access to the system or network. Changes caused by drift can alter or disable security monitoring tools within the container, making it harder to detect and respond to security incidents promptly. Microsoft Defender for Containers introduces the binary drift detection feature in public preview, to detect execution of files in a running container drifting from original Container Image which was scanned, tested, and validated. It's available for the Azure (AKS) V1.29, Amazon (EKS), and Google (GKE) clouds. Defender for Containers Binary Drift Detection helps organizations: Early Detection of Breaches: Drift detection serves as an early warning system for potential security breaches. If an attacker compromises a container and makes unauthorized changes, drift detection can immediately alert security teams, enabling them to respond quickly and mitigate the impact. Monitor for Insider Activity: Drift detection helps mitigate insider threats by monitoring for unauthorized changes that could indicate malicious activity by an insider. This includes unauthorized changes to configurations, deployment scripts, or access controls within containers. Reduce Human Error: Human error is a common cause of security breaches. Drift detection reduces the risk of human error by ensuring that any unintended changes made by administrators or developers are quickly detected and corrected. Ensure Compliance with Security Standards: Many regulatory standards require organizations to maintain secure configurations and prevent unauthorized changes. Drift detection helps ensure compliance by continuously monitoring and documenting the state of containers, providing evidence that configurations remain consistent with regulatory requirements. Prerequisites to enable Binary drift detection: Defender for Containers plan should be enabled on Azure subscription, AWS Connector, GCP Connector. For more details refer Configure Microsoft Defender for Containers components - Microsoft Defender for Cloud | Microsoft Learn Defender sensor must be enabled. Security Admin or higher permissions on the tenant to create and modify drift policies Configure Binary Drift Detection Security Admins can configure drift detection policies at Azure Subscription, AWS Connector or GCP Connector and on Resources at Cluster level, Name space, Pod, or individual container level. For details on how to configure drift detection Rules, refer : Binary drift detection (preview) - Microsoft Defender for Cloud | Microsoft Learn Rules are evaluated in ascending order of priority. First rule 1 is evaluated, if it's a match the evaluation stops. If no match is found, the next rule is evaluated. If there's no match for any rule, the out of the boxDefault binary driftrule with default Ignore drift detection applies. Best practices for Drift Detection: Kubernetes Administrators should ensure that all container images are regularly updated and patched to include the latest security fixes. Detecting drift at the cluster level helps prevent unauthorized changes that could compromise the security and stability of the entire cluster. For example, an attacker gaining access to the Kubernetes API server might change cluster-wide settings to escalate privileges or disable security features. In multi-tenant environments, where different teams or customers share the same Kubernetes cluster but operate within their own namespaces, organizations can apply drift detection at namespace level monitoring only the areas of the cluster that are relevant to particular applications or teams. In development or testing environments, developers might need to make ad-hoc changes to containers to test new features, configurations, or debug issues, without the overhead of redeploying containers. Apply the ruleset only to the specific labelled Kubernetes pods. During scheduled maintenance windows, organizations might need to apply emergency patches or make quick operational changes directly to running containers to address critical security vulnerabilities or fix urgent issues. In this scenario, modify the rule action to Ignore Drift detection to avoid false positives. Allow list for processes - Organizations might define specific processes like monitoring agents, logging agents to be exempt from drift detection to avoid false positives. Test / Simulate a binary drift alert To test the binary drift feature and generate alerts (only in situations you defined in the binary drift policy that you’d like to get an alerts) you can execute any binary process in the container (not part of the original image). You can also use this script to create binary drift scenario: kubectl run ubuntu-pod --image=ubuntu --restart=Never -- /bin/bash -c “cp /bin/echo /bin/echod; /bin/echod This is a binary drift execution” Below you can observe the drift detection alert generated in a threat scenario: Click on Open Logs to further examine the activities performed on this resource around the time of the alert. The attempt to list the Cluster admin credentials succeeded. The alert also indicates there are 42 more alerts on the affected resource This incident indicates that suspicious activity has been detected on the Kubernetes cluster. Multiple alerts from different Defender for Cloud plans have been triggered on the same cluster, which increases the fidelity of malicious activity. The suspicious activity might indicate that a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Advanced Hunting with XDR Security teams can now access Defender for Cloud alerts and incidents within the Microsoft Defender portal, get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through immediate correlations of alerts and incidents. By combining drift detection data with other security event information, SOC teams can build a more comprehensive understanding of potential incidents. A multi-stage incident involving multiple alerts can be observed in the XDR portal. The alert evidence pane shows there has been suspicious activity with “ubuntu-pod” The SOC team can further investigate the commands executed on the affected pod, and the user who executed the commands using the below query: CloudAuditEvents | where Timestamp > ago(1d) | where DataSource == "Azure Kubernetes Service" | where OperationName == "create" | where RawEventData.ObjectRef.resource == "pods" and RawEventData.ResponseStatus.code == 101 | where RawEventData.ObjectRef.namespace == "kube-system" | where RawEventData.ObjectRef.subresource == "exec" | where RawEventData.ResponseStatus.code == 101 | extend RequestURI = tostring(RawEventData.RequestURI) | extend PodName = tostring(RawEventData.ObjectRef.name) | extend PodNamespace = tostring(RawEventData.ObjectRef.namespace) | extend Username = tostring(RawEventData.User.username) | where PodName == "ubuntu-pod" | extend Commands = extract_all(@"command=([^\&]*)", RequestURI) | extend ParsedCommand = url_decode(strcat_array(Commands, " ")) | project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, Username, ParsedCommand For more information on how to Investigate suspicious Kubernetes (Kubeaudit) control plane activities in XDR advanced hunting refer: Kubeaudit events in advanced hunting - Microsoft Defender for Cloud | Microsoft Learn SOC team can assign incidents from theManage incidentpane for mitigating the attack Kubernetes Cluster administrators can configure automated workflows to handle common drift scenarios, such as reverting unauthorized changes, notifying relevant teams, or trigger response actions automatically. Additional Resources You can also use the resources below to learn more about these capabilities: Binary drift detection in Defender for Containers (Video) Binary drift detection (preview) - Microsoft Defender for Cloud | Microsoft Learn Kubeaudit events in advanced hunting - Microsoft Defender for Cloud | Microsoft Learn Container security architecture - Microsoft Defender for Cloud | Microsoft Learn Reviewers Eyal Gur, Principal Product Manager, Defender for Cloud
Using Defender XDR Portal to hunt for Kubernetes security issues
In the last article,we showed how to leverage binary drift detection. In this article (Part 2 of the Series) we will build on that capability using Defender XDR Portal. This article will walk you through some starter queries to augment the Defender for Container alerts and show you a quick way to hunt without requiring you to have an in-depth understanding of Kubernetes. To recap the series: Part 1: Newest detection “binary drift” and how you can expand the capability using Microsoft XDR Portal https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender-portal. We will also look what you get as result of native integration between Defender for Cloud and Microsoft XDR. We will also showcase why this integration is advantageous for your SOC teams Part 2 [current]: Further expanding on the integration capabilities, we will demonstrate how you can automate your hunts using Custom Detection Rules https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules. Reducing operational burden and allowing you to proactively detect Kubernetes security issues. Wherever applicable, we will also suggest an alternative way to perform the detection Part 3: Bringing AI to your advantage, we will show how you can leverage Security Copilot both in Defender for Cloud and XDR portal for Kubernetes security use cases.
