Detections
Analytics

9.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On'

Information

Microsoft Defender for Containers helps improve, monitor, and maintain the security of containerized assets-including Kubernetes clusters, nodes, workloads, container registries, and images-across multi-cloud and on-premises environments.

By default, when enabling the plan through the Azure Portal, Microsoft Defender for Containers automatically configures the following components:

 - Agentless scanning for machines
 - Defender sensor for runtime protection
 - Azure Policy for enforcing security best practices
 - K8S API access for monitoring and threat detection
 - Registry access for vulnerability assessment

Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').

Enabling Microsoft Defender for Containers enhances defense-in-depth by providing advanced threat detection, vulnerability assessment, and security monitoring for containerized environments, leveraging insights from the Microsoft Security Response Center (MSRC).

Solution

Remediate from Azure Portal

 - Go to Microsoft Defender for Cloud
 - Under Management click Environment settings
 - Click the name of a subscription.
 - Under Settings click Defender plans
 - Under Cloud Workload Protection (CWP) in the row for Containers click On in the Status column.
 - If Monitoring coverage displays Partial click Settings under Partial
 - Set the status of each of the components to On
 - Click Continue
 - Click Save
 - Repeat steps 1-9 for each subscription.

Remediate from Azure CLI

Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').

Run the below command to enable the Microsoft Defender for Containers plan and its components:

az security pricing create -n 'Containers' --tier 'standard' --extensions name=ContainerRegistriesVulnerabilityAssessments isEnabled=True --extensions name=AgentlessDiscoveryForKubernetes isEnabled=True --extensions name=AgentlessVmScanning isEnabled=True --extensions name=ContainerSensor isEnabled=True

Remediate from PowerShell

Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').

Run the below command to enable the Microsoft Defender for Containers plan and its components:

Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard' -Extension '[{"name":"ContainerRegistriesVulnerabilityAssessments","isEnabled":"True"},{"name":"AgentlessDiscoveryForKubernetes","isEnabled":"True"},{"name":"AgentlessVmScanning","isEnabled":"True"},{"name":"ContainerSensor","isEnabled":"True"}]'

Impact:

Microsoft Defender for Containers incurs a charge per vCore. Refer to

https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/

and

https://azure.microsoft.com/en-us/pricing/calculator/

to estimate potential costs.

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: RISK ASSESSMENT

References: 800-53|RA-5, CSCv7|3.1

Plugin: microsoft_azure

Control ID: d15fe9981c78e9c5a9b0d9f34ec5333eaad5cab7a0564d317da216065a162814