Microsoft Defender for Cloud PoC Series - Microsoft Defender for Kubernetes
Published Sep 02 2021 06:08 AM 4,795 Views
Microsoft

Introduction 

In this article, I continue the Microsoft Defender for Cloud PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the Microsoft Defender for Kubernetes plan. For a more holistic approach that involves validating Microsoft Defender for Cloud, check out How to Effectively Perform a Microsoft Defender for Cloud PoC 

 

Planning 

As part of this PoC, it is important to understand that Microsoft Defender for Kubernetes provides threat detection and protection at the cluster level through continuously monitoring your cluster’ logs. This will include different security events such as exposed Kubernetes dashboards and the creation of high privileged roles. For AKS clusters, there are no provisioning actions required aside from enabling Microsoft Defender for Cloud due to Defender for Cloud being integrated into AKS through the Azure backbone.  

 

Microsoft Defender for Kubernetes will also protect your Kubernetes clusters wherever they are running, including on premise or multi-cloud clusters. For multi-cloud and on-premises clusters, you will need to connect your Kubernetes cluster to Azure Arc, then deploy the Microsoft Defender for Kubernetes extension. For a comprehensive understanding of how to deploy the extension, visit the following resources: 

 

If this is your first-time enabling Defender for Clud, try it out for free for 30 days while you execute your PoC. During this time, you can decide if you want to keep this plan and if you choose otherwise, be sure to disable it at the end of the free trial to avoid charges. For more pricing information, please visit: Pricing—Microsoft Defender for Cloud | Microsoft Azure. 

 

Preparation 

To enable Microsoft Defender for Kubernetes, you will need to have Security Admin role in the subscription where the plan will be enabled. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below. 

Figure 1: Enable Azure Defender for KubernetesFigure 1: Enable Azure Defender for Kubernetes

 

 

Besides enabling, you can also use the Security Admin role to dismiss potential alerts, however if you just need to reviewing findings, you can grant only Security Reader role to the user. When anomalous behavior occurs on your Kubernetes cluster, Microsoft Defender for Kubernetes will show alerts. To familiarize yourself with the alerts you may receive with this plan, review the Alerts Reference Guide 

 

To make sure you have a complete understanding of Microsoft Defender for Kubernetes, make sure to also check out these resources: 

 

Implementation and Validation 

Once enabled, you can check to see if Microsoft Defender is running properly by simulating an alert as instructed by the following resources: 

 

If you find alerts that are not relevant to your environment, you can either manually dismiss them or create suppression rules to automatically dismiss them in the future.  

 

Conclusion 

By the end of this PoC, you should be able to determine the value of Microsoft Defender for Kubernetes and the significance of this level of threat detection on your workloads.  

 

P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.

 

Reviewers

@Yuri Diogenes , Principal Program Manager

@Maya_Herskovic , Senior Program Manager

Co-Authors
Version history
Last update:
‎Nov 29 2021 08:04 AM
Updated by: