Αυτό το πρόγραμμα περιήγησης δεν υποστηρίζεται πλέον.
Κάντε αναβάθμιση σε Microsoft Edge για να επωφεληθείτε από τις τελευταίες δυνατότητες, τις ενημερώσεις ασφαλείας και την τεχνική υποστήριξη.
Προσοχή
This article references CentOS, a Linux distribution that is End Of Service as of June 30, 2024. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
This article summarizes support information for Container capabilities in Microsoft Defender for Cloud.
Σημείωση
The following are the features provided by Defender for Containers, for the supported cloud environments and container registries.
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability |
|---|---|---|---|---|---|---|---|---|
| Agentless discovery for Kubernetes 1 | Provides zero footprint, API-based discovery of Kubernetes clusters, their configurations and deployments. | AKS | GA | GA | Enable K8S API access toggle | Agentless | Defender for Containers OR Defender CSPM | Azure commercial clouds |
| Comprehensive inventory capabilities | Enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets. | ACR, AKS | GA | GA | Enable K8S API access toggle | Agentless | Defender for Containers OR Defender CSPM | Azure commercial clouds |
| Attack path analysis | A graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment. | ACR, AKS | GA | GA | Activated with plan | Agentless | Defender CSPM (requires Agentless discovery for Kubernetes to be enabled) | Azure commercial clouds |
| Enhanced risk-hunting | Enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer. | ACR, AKS | GA | GA | Enable K8S API access toggle | Agentless | Defender for Containers OR Defender CSPM | Azure commercial clouds |
| Control plane hardening 1 | Continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues. | ACR, AKS | GA | GA | Activated with plan | Agentless | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Kubernetes data plane hardening 1 | Protect workloads of your Kubernetes containers with best practice recommendations. | AKS | GA | - | Enable Azure Policy for Kubernetes toggle | Azure Policy | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| CIS Azure Kubernetes Service | CIS Azure Kubernetes Service Benchmark | AKS | GA | - | Assigned as a security standard | Agentless | Defender for Containers OR Defender CSPM | Commercial clouds |
1 This feature can be enabled for an individual cluster when enabling Defender for Containers at the cluster resource level.
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability |
|---|---|---|---|---|---|---|---|---|
| Agentless registry scan (powered by Microsoft Defender Vulnerability Management) supported packages | Vulnerability assessment for images in ACR | ACR, Private ACR | GA | GA | Enable Agentless container vulnerability assessment toggle (National clouds are automatically enabled and cannot be toggled) | Agentless | Defender for Containers or Defender CSPM | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Agentless/agent-based runtime (powered by Microsoft Defender Vulnerability Management) supported packages | Vulnerability assessment for running images in AKS | AKS | Preview (Containers running ACR images supported are GA) |
- | Enable Agentless container vulnerability assessment toggle | Agentless (Requires Agentless discovery for Kubernetes) OR/AND Defender sensor | Defender for Containers or Defender CSPM | Commercial clouds |
| Agentless K8s node scanning | Vulnerability assessment of K8s nodes | AKS | Preview | Preview | Enable Agentless scanning for machines | Agentless | Defender for Containers or Defender for Servers P2 or CSPM | Commercial clouds |
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability |
|---|---|---|---|---|---|---|---|---|
| Control plane | Detection of suspicious activity for Kubernetes based on Kubernetes audit trail | AKS | GA | GA | Enabled with plan | Agentless | Defender for Containers | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Workload | Detection of suspicious activity for Kubernetes for cluster level, node level, and workload level | AKS | GA | - | Enable Defender Sensor in Azure toggle OR deploy Defender sensors on individual clusters | Defender sensor | Defender for Containers | Commercial clouds National clouds: Azure Government, Azure China 21Vianet |
| Node | Detection of malware on K8s nodes | AKS | Preview | Preview | Enable Agentless scanning for machines | Agentless | Defender for Containers or Defender for Servers P2 | Commercial clouds |
| Feature | Description | Supported resources | Linux release state | Windows release state | Enablement method | Sensor | Plans | Azure clouds availability |
|---|---|---|---|---|---|---|---|---|
| Discovery of unprotected clusters 1 | Discovering Kubernetes clusters missing Defender sensors | AKS | GA | GA | Enabled with plan | Agentless | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Defender sensor auto provisioning | Automatic deployment of Defender sensor | AKS | GA | - | Enable Defender Sensor in Azure toggle | Agentless | Defender for Containers | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
| Azure Policy for Kubernetes auto provisioning 1 | Automatic deployment of Azure policy sensor for Kubernetes | AKS | GA | - | Enable Azure policy for Kubernetes toggle | Agentless | Free | Commercial clouds National clouds: Azure Government, Azure operated by 21Vianet |
1 This feature can be enabled for an individual cluster when enabling Defender for Containers at the cluster resource level.
| Aspect | Details |
|---|---|
| Registries and images | Supported * ACR registries * ACR registries protected with Azure Private Link (Private registries requires access to Trusted Services) * Container images in Docker V2 format * Images with Open Container Initiative (OCI) image format specification Unsupported * Super-minimalist images such as Docker scratch images are currently unsupported |
| Operating systems | Supported * Alpine Linux 3.12-3.21 * Red Hat Enterprise Linux 6-9 * CentOS 6-9. (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-22.04 * Fedora 31-37 * Mariner 1-2 * Windows Server 2016, 2019, 2022 |
| Language specific packages |
Supported * Python * Node.js * PHP * Ruby * Rust * .NET * Java * Go |
| Aspect | Details |
|---|---|
| Kubernetes distributions and configurations | Supported * Azure Kubernetes Service (AKS) with Kubernetes RBAC Supported via Arc enabled Kubernetes 1 2 * Azure Kubernetes Service hybrid * Kubernetes * AKS Engine * Azure Red Hat OpenShift |
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested on Azure.
2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.
Σημείωση
For additional requirements for Kubernetes workload protection, see existing limitations.
| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Sensor-based | Pricing tier | ||
|---|---|---|---|---|---|---|---|---|
| Security posture management | Agentless discovery for Kubernetes | EKS | GA | GA | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | Comprehensive inventory capabilities | ECR, EKS | GA | GA | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | Attack path analysis | ECR, EKS | GA | GA | Agentless | Defender CSPM | ||
| Security posture management | Enhanced risk-hunting | ECR, EKS | GA | GA | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | CIS Amazon Elastic Kubenretes Service | EKS | GA | - | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | Control plane hardening | - | - | - | - | - | ||
| Security posture management | Kubernetes data plane hardening | EKS | GA | - | Azure Policy for Kubernetes | Defender for Containers | ||
| Vulnerability assessment | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) supported packages | ECR | GA | GA | Agentless | Defender for Containers or Defender CSPM | ||
| Vulnerability assessment | Agentless/sensor-based runtime (powered by Microsoft Defender Vulnerability Management) supported packages | Supported container registries | Preview | - | Agentless OR/AND Defender sensor | Defender for Containers or Defender CSPM | ||
| Agentless K8s node scanning | Vulnerability assessment of K8s nodes | EKS | - | - | - | - | - | - |
| Runtime protection | Control plane | EKS | GA | GA | Agentless | Defender for Containers | ||
| Runtime protection | Workload | EKS | GA | - | Defender sensor | Defender for Containers | ||
| Deployment & monitoring | Discovery of unprotected clusters | EKS | GA | GA | Agentless | Defender for Containers | ||
| Deployment & monitoring | Auto provisioning of Defender sensor | EKS | GA | - | - | - | ||
| Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | EKS | GA | - | - | - |
| Aspect | Details |
|---|---|
| Registries and images | Supported * ECR registries * Container images in Docker V2 format * Images with Open Container Initiative (OCI) image format specification Unsupported * Super-minimalist images such as Docker scratch images is currently unsupported * Public repositories * Manifest lists |
| Operating systems | Supported * Alpine Linux 3.12-3.21 * Red Hat Enterprise Linux 6-9 * CentOS 6-9 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-22.04 * Fedora 31-37 * Mariner 1-2 * Windows server 2016, 2019, 2022 |
| Language specific packages |
Supported * Python * Node.js * PHP * Ruby * Rust * .NET * Java * Go |
| Aspect | Details |
|---|---|
| Kubernetes distributions and configurations | Supported * Amazon Elastic Kubernetes Service (EKS) Supported via Arc enabled Kubernetes 1 2 * Kubernetes Unsupported * EKS private clusters |
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.
2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.
Σημείωση
For additional requirements for Kubernetes workload protection, see existing limitations.
Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.
If your Kubernetes cluster in AWS has control plane IP restrictions enabled (see Amazon EKS cluster endpoint access control - Amazon EKS ), the control plane's IP restriction configuration is updated to include the CIDR block of Microsoft Defender for Cloud.
| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Sensor-based | Pricing tier | ||
|---|---|---|---|---|---|---|---|---|
| Security posture management | Agentless discovery for Kubernetes | GKE | GA | GA | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | Comprehensive inventory capabilities | GAR, GCR, GKE | GA | GA | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | Attack path analysis | GAR, GCR, GKE | GA | GA | Agentless | Defender CSPM | ||
| Security posture management | Enhanced risk-hunting | GAR, GCR, GKE | GA | GA | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | CIS Google Kubernetes Engine | GKE | GA | - | Agentless | Defender for Containers OR Defender CSPM | ||
| Security posture management | Control plane hardening | GKE | GA | GA | Agentless | Free | ||
| Security posture management | Kubernetes data plane hardening | GKE | GA | - | Azure Policy for Kubernetes | Defender for Containers | ||
| Vulnerability assessment | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) supported packages | GAR, GCR | GA | GA | Agentless | Defender for Containers or Defender CSPM | ||
| Vulnerability assessment | Agentless/sensor-based runtime (powered by Microsoft Defender Vulnerability Management) supported packages | GKE | GA | GA | Agentless OR/AND Defender sensor | Defender for Containers or Defender CSPM | ||
| Agentless K8s node scanning | Vulnerability assessment of K8s nodes | GKE | - | - | - | - | - | - |
| Runtime protection | Control plane | GKE | GA | GA | Agentless | Defender for Containers | ||
| Runtime protection | Workload | GKE | GA | - | Defender sensor | Defender for Containers | ||
| Deployment & monitoring | Discovery of unprotected clusters | GKE | GA | GA | Agentless | Defender for Containers | ||
| Deployment & monitoring | Auto provisioning of Defender sensor | GKE | GA | - | Agentless | Defender for Containers | ||
| Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | GKE | GA | - | Agentless | Defender for Containers |
| Aspect | Details |
|---|---|
| Registries and images | Supported * Google Registries (GAR, GCR) * Container images in Docker V2 format * Images with Open Container Initiative (OCI) image format specification Unsupported * Super-minimalist images such as Docker scratch images is currently unsupported * Public repositories * Manifest lists |
| Operating systems | Supported * Alpine Linux 3.12-3.21 * Red Hat Enterprise Linux 6-9 * CentOS 6-9 (CentOS is End Of Service as of June 30, 2024. For more information, see the CentOS End Of Life guidance.) * Oracle Linux 6-9 * Amazon Linux 1, 2 * openSUSE Leap, openSUSE Tumbleweed * SUSE Enterprise Linux 11-15 * Debian GNU/Linux 7-12 * Google Distroless (based on Debian GNU/Linux 7-12) * Ubuntu 12.04-22.04 * Fedora 31-37 * Mariner 1-2 * Windows server 2016, 2019, 2022 |
| Language specific packages |
Supported * Python * Node.js * PHP * Ruby * Rust * .NET * Java * Go |
| Aspect | Details |
|---|---|
| Kubernetes distributions and configurations | Supported * Google Kubernetes Engine (GKE) Standard Supported via Arc enabled Kubernetes 1 2 * Kubernetes Unsupported * Private network clusters * GKE autopilot * GKE AuthorizedNetworksConfig |
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.
2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.
Σημείωση
For additional requirements for Kubernetes workload protection, see existing limitations.
Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.
If your Kubernetes cluster in GCP has control plane IP restrictions enabled (see Add authorized networks for control plane access | Google Kubernetes Engine (GKE) | Google Cloud ), the control plane's IP restriction configuration is updated to include the CIDR block of Microsoft Defender for Cloud.
| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Sensor-based | Pricing tier |
|---|---|---|---|---|---|---|
| Security posture management | Docker CIS | Arc enabled VMs | Preview | - | Log Analytics agent | Defender for Servers Plan 2 |
| Security posture management | Control plane hardening | - | - | - | - | - |
| Security posture management | Kubernetes data plane hardening | Arc enabled K8s clusters | GA | - | Azure Policy for Kubernetes | Defender for Containers |
| Runtime protection | Threat protection (control plane) | Arc enabled K8s clusters | Preview | Preview | Defender sensor | Defender for Containers |
| Runtime protection | Threat protection (workload) | Arc enabled K8s clusters | Preview | - | Defender sensor | Defender for Containers |
| Deployment & monitoring | Discovery of unprotected clusters | Arc enabled K8s clusters | Preview | - | Agentless | Free |
| Deployment & monitoring | Auto provisioning of Defender sensor | Arc enabled K8s clusters | Preview | Preview | Agentless | Defender for Containers |
| Deployment & monitoring | Auto provisioning of Azure Policy for Kubernetes | Arc enabled K8s clusters | Preview | - | Agentless | Defender for Containers |
| Domain | Feature | Supported Resources | Linux release state | Windows release state | Agentless/Sensor-based | Pricing tier |
|---|---|---|---|---|---|---|
| Security posture management | Comprehensive inventory capabilities | Docker Hub , JFrog Artifactory | Preview | Preview | Agentless | Foundational CSPM OR Defender for Containers OR Defender CSPM |
| Security posture management | Attack path analysis | Docker Hub , JFrog Artifactory | Preview | Preview | Agentless | Defender CSPM |
| Vulnerability assessment | Agentless registry scan (powered by Microsoft Defender Vulnerability Management) supported packages | Docker Hub , JfFrog Artifactory | Preview | Preview | Agentless | Defender for Containers OR Defender CSPM |
| Vulnerability assessment | Agentless/sensor-based runtime (powered by Microsoft Defender Vulnerability Management) supported packages | Docker Hub , JFrog Artifactory | Preview | Preview | Agentless OR/AND Defender sensor | Defender for Containers OR Defender CSPM |
| Aspect | Details |
|---|---|
| Kubernetes distributions and configurations | Supported via Arc enabled Kubernetes 1 2 * Azure Kubernetes Service hybrid * Azure Red Hat OpenShift * Red Hat OpenShift (version 4.6 or newer) |
1 Any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters should be supported, but only the specified clusters have been tested.
2 To get Microsoft Defender for Containers protection for your environments, you need to onboard Azure Arc-enabled Kubernetes and enable Defender for Containers as an Arc extension.
Σημείωση
For additional requirements for Kubernetes workload protection, see existing limitations.
Defender for Containers relies on the Defender sensor for several features. The Defender sensor is supported only with Linux Kernel 5.4 and above, on the following host operating systems:
Ensure your Kubernetes node is running on one of these verified operating systems. Clusters with unsupported host operating systems don't get the benefits of features relying on Defender sensor.
The Defender sensor in AKS V1.28 and below isn't supported on Arm64 nodes.
Outbound proxy without authentication and outbound proxy with basic authentication are supported. Outbound proxy that expects trusted certificates is currently not supported.
Εκπαίδευση
Λειτουργική μονάδα
Connect non-Azure resources to Microsoft Defender for Cloud - Training
Connect non-Azure resources to Microsoft Defender for Cloud
Πιστοποίηση
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.