Enable Microsoft Defender for Containers

Microsoft Defender for Containers is the cloud-native solution for securing your containers.

Defender for Containers protects your clusters whether they're running in:

• Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, deploying, and managing containerized applications.

• Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account - Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

• Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) project - Google’s managed environment for deploying, managing, and scaling applications using GCP infrastructure.

• Other Kubernetes distributions (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS. For more information, see the On-prem/IaaS (Arc) section of Supported features by environment.

Learn about this plan in Overview of Microsoft Defender for Containers.

You can learn more by watching these videos from the Defender for Cloud in the Field video series:

• Microsoft Defender for Containers in a multicloud environment
• Protect Containers in GCP with Defender for Containers

Note

Defender for Containers' support for Arc-enabled Kubernetes clusters, AWS EKS, and GCP GKE. This is a preview feature.

To learn more about the supported operating systems, feature availability, outbound proxy and more see the Defender for Containers feature availability.

Network requirements

Validate the following endpoints are configured for outbound access so that the Defender profile can connect to Microsoft Defender for Cloud to send security data and events:

See the required FQDN/application rules for Microsoft Defender for Containers.

By default, AKS clusters have unrestricted outbound (egress) internet access.

Network requirements

Validate the following endpoints are configured for outbound access so that the Defender extension can connect to Microsoft Defender for Cloud to send security data and events:

For Azure public cloud deployments:

Domain	Port
*.ods.opinsights.azure.com	443
*.oms.opinsights.azure.com	443
login.microsoftonline.com	443

The following domains are only necessary if you're using a relevant OS. For example, if you have EKS clusters running in AWS, then you would only need to apply the Amazon Linux 2 (Eks): Domain: "amazonlinux.*.amazonaws.com/2/extras/*" domain.

Domain	Port	Host operating systems
amazonlinux.*.amazonaws.com/2/extras/*	443	Amazon Linux 2
yum default repositories	-	RHEL / Centos
apt default repositories	-	Debian

You'll also need to validate the Azure Arc-enabled Kubernetes network requirements.

Tip

When using this extension with AKS hybrid clusters provisioned from Azure you must set --cluster-type to use provisionedClusters and also add --cluster-resource-provider microsoft.hybridcontainerservice to the command. Installing Azure Arc extensions on AKS hybrid clusters provisioned from Azure is currently in preview.

Enable the plan

To enable the plan:

1. From Defender for Cloud's menu, open the Settings page and select the relevant subscription.

2. In the Defender plans page, select Defender for Containers and select Settings.

   

   Tip

   If the subscription already has Defender for Kubernetes and/or Defender for container registries enabled, an update notice is shown. Otherwise, the only option will be Defender for Containers.

   

3. Turn the relevant component on to enable it.

   

   Note

   When you turn off Defender for Containers, the components are set to off and are not deployed to any more containers but they are not removed from containers that they are already installed on.

By default, when enabling the plan through the Azure portal, Microsoft Defender for Containers is configured to automatically install required components to provide the protections offered by plan, including the assignment of a default workspace.

You can assign a custom workspace through Azure Policy.

If you don't want to automatically install the Defender for Containers monitoring components on your container resources, select Edit configuration for the Containers plan. Then, in the Settings & monitoring page, turn off automatic installation for each component.

In addition, you can modify this configuration from the Defender plans page.

If you disable the automatic installation of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:

• Policy Add-on for Kubernetes - Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed

• Azure Kubernetes Service profile - Azure Kubernetes Service clusters should have Defender profile enabled

• Azure Arc-enabled Kubernetes Defender extension - Azure Arc-enabled Kubernetes clusters should have the Defender extension installed

• Azure Arc-enabled Kubernetes Policy extension - Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed

  Note

  Microsoft Defender for Containers is configured to defend all of your clouds automatically. When you install all of the required prerequisites and enable all of the automatic installation capabilities.

  If you choose to disable all of the automatic installation configuration options, no agents, or components will be deployed to your clusters. Protection will be limited to the Agentless features only. Learn which features are Agentless in the availability section for Defender for Containers.

Learn more about the roles used to provision Defender for Containers extensions.

Deploy the Defender profile

You can enable the Defender for Containers plan and deploy all of the relevant components from the Azure portal, the REST API, or with a Resource Manager template. For detailed steps, select the relevant tab.

Once the Defender profile has been deployed, a default workspace will be automatically assigned. You can assign a custom workspace in place of the default workspace through Azure Policy.

Note

The Defender profile is deployed to each node to provide the runtime protections and collect signals from those nodes using eBPF technology.

Azure portal

Use the fix button from the Defender for Cloud recommendation

A streamlined, frictionless, process lets you use the Azure portal pages to enable the Defender for Cloud plan and setup auto provisioning of all the necessary components for defending your Kubernetes clusters at scale.

A dedicated Defender for Cloud recommendation provides:

• Visibility about which of your clusters has the Defender profile deployed
• Fix button to deploy it to those clusters without the extension

1. From Microsoft Defender for Cloud's recommendations page, open the Enable enhanced security security control.

2. Use the filter to find the recommendation named Azure Kubernetes Service clusters should have Defender profile enabled.

   Tip

   Notice the Fix icon in the actions column

3. Select the clusters to see the details of the healthy and unhealthy resources - clusters with and without the profile.

4. From the unhealthy resources list, select a cluster and select Remediate to open the pane with the remediation confirmation.

5. Select Fix X resources.

REST API

Use the REST API to deploy the Defender profile

To install the 'SecurityProfile' on an existing cluster with the REST API, run the following PUT command:

PUT https://management.azure.com/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

Request URI: https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}

Request query parameters:

Name	Description	Mandatory
SubscriptionId	Cluster's subscription ID	Yes
ResourceGroup	Cluster's resource group	Yes
ClusterName	Cluster's name	Yes
ApiVersion	API version, must be >= 2022-06-01	Yes

Request Body:

{
  "location": "{{Location}}",
  "properties": {
    "securityProfile": {
            "defender": {
                "logAnalyticsWorkspaceResourceId": "{{LAWorkspaceResourceId}}",
                "securityMonitoring": {
                    "enabled": true,
                }
            }
        }
    }
}

Request body parameters:

Name	Description	Mandatory
location	Cluster's location	Yes
properties.securityProfile.defender.securityMonitoring.enabled	Determines whether to enable or disable Microsoft Defender for Containers on the cluster	Yes
properties.securityProfile.defender.logAnalyticsWorkspaceResourceId	Log Analytics workspace Azure resource ID	Yes

Azure CLI

Use Azure CLI to deploy the Defender extension

1. Sign in to Azure:

   az login
   az account set --subscription <your-subscription-id>
   

   Important

   Ensure that you use the same subscription ID for <your-subscription-id> as the one associated with your AKS cluster.

2. Enable the Defender profile on your containers:

   • Run the following command to create a new cluster with the Defender profile enabled:

     az aks create --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>
     

   • Run the following command to enable the Defender profile on an existing cluster:

     az aks update --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>
     

   A description of all the supported configuration settings on the Defender extension type is given below:

   Property

   Description

   logAnalyticsWorkspaceResourceId

   Optional. Full resource ID of your own Log Analytics workspace. When not provided, the default workspace of the region will be used. To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format: az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json The Log Analytics workspace resource ID has the following syntax: /subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name}. Learn more in Log Analytics workspaces

   You can include these settings in a JSON file and specify the JSON file in the az aks create and az aks update commands with this parameter: --defender-config <path-to-JSON-file>. The format of the JSON file must be:

   {"logAnalyticsWorkspaceResourceId": "<workspace-id>"}
   

   Learn more about AKS CLI commands in az aks.

3. To verify that the profile was successfully added, run the following command on your machine with the kubeconfig file pointed to your cluster:

   kubectl get pods -n kube-system
   

   When the profile is added, you should see a pod called microsoft-defender-XXXXX in Running state. It might take a few minutes for pods to be added.

Resource Manager

Use Azure Resource Manager to deploy the Defender profile

To use Azure Resource Manager to deploy the Defender profile, you'll need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?

To install the 'SecurityProfile' on an existing cluster with Resource Manager:

{ 
    "type": "Microsoft.ContainerService/managedClusters", 
    "apiVersion": "2022-06-01", 
    "name": "string", 
    "location": "string",
    "properties": {
        …
        "securityProfile": { 
            "defender": { 
                "logAnalyticsWorkspaceResourceId": “logAnalyticsWorkspaceResourceId",
                "securityMonitoring": {
                    "enabled": true
                }
            }
        }
    }
}

Enable the plan

To enable the plan:

1. From Defender for Cloud's menu, open the Settings page and select the relevant subscription.

2. In the Defender plans page, select Defender for Containers and select Settings.

   Tip

   If the subscription already has Defender for Kubernetes or Defender for container registries enabled, an update notice is shown. Otherwise, the only option will be Defender for Containers.

   

3. Turn the relevant component on to enable it.

   

   Note

   When you turn off Defender for Containers, the components are set to off and are not deployed to any more containers but they are not removed from containers that they are already installed on.

By default, when enabling the plan through the Azure portal, Microsoft Defender for Containers is configured to automatically install required components to provide the protections offered by plan, including the assignment of a default workspace.

If you want to disable automatic installation of components during the onboarding process, select Edit configuration for the Containers plan. The Advanced options will appear, and you can disable automatic installation for each component.

In addition, you can modify this configuration from the Defender plans page.

Note

If you choose to disable the plan at any time after enabling it through the portal as shown above, you'll need to manually remove Defender for Containers components deployed on your clusters.

You can assign a custom workspace through Azure Policy.

If you disable the automatic installation of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:

• Policy Add-on for Kubernetes - Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
• Azure Kubernetes Service profile - Azure Kubernetes Service clusters should have Defender profile enabled
• Azure Arc-enabled Kubernetes extension - Azure Arc-enabled Kubernetes clusters should have the Defender extension installed
• Azure Arc-enabled Kubernetes Policy extension - Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed

Learn more about the roles used to provision Defender for Containers extensions.

Prerequisites

Before deploying the extension, ensure you:

• Connect the Kubernetes cluster to Azure Arc
• Complete the pre-requisites listed under the generic cluster extensions documentation.

Deploy the Defender extension

You can deploy the Defender extension using a range of methods. For detailed steps, select the relevant tab.

Azure portal

Use the fix button from the Defender for Cloud recommendation

A dedicated Defender for Cloud recommendation provides:

• Visibility about which of your clusters has the Defender for Kubernetes extension deployed
• Fix button to deploy it to those clusters without the extension

1. From Microsoft Defender for Cloud's recommendations page, open the Enable enhanced security security control.

2. Use the filter to find the recommendation named Azure Arc-enabled Kubernetes clusters should have Defender for Cloud's extension installed.

   

   Tip

   Notice the Fix icon in the actions column

3. Select the extension to see the details of the healthy and unhealthy resources - clusters with and without the extension.

4. From the unhealthy resources list, select a cluster and select Remediate to open the pane with the remediation options.

5. Select the relevant Log Analytics workspace and select Remediate x resource.

   

Azure CLI

Use Azure CLI to deploy the Defender extension

1. Sign in to Azure:

   az login
   az account set --subscription <your-subscription-id>
   

   Important

   Ensure that you use the same subscription ID for <your-subscription-id> as the one that was used when connecting your cluster to Azure Arc.

2. Run the following command to deploy the extension on top of your Azure Arc-enabled Kubernetes cluster:

   az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name <cluster-name> --resource-group <resource-group> --extension-type microsoft.azuredefender.kubernetes
   

   A description of all the supported configuration settings on the Defender extension type is given below:

   Property	Description
   logAnalyticsWorkspaceResourceID	Optional. Full resource ID of your own Log Analytics workspace. When not provided, the default workspace of the region will be used. To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format: az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json The Log Analytics workspace resource ID has the following syntax: /subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name}. Learn more in Log Analytics workspaces
   auditLogPath	Optional. The full path to the audit log files. When not provided, the default path /var/log/kube-apiserver/audit.log will be used. For AKS Engine, the standard path is /var/log/kubeaudit/audit.log

   The below command shows an example usage of all optional fields:

   az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --extension-type microsoft.azuredefender.kubernetes --configuration-settings logAnalyticsWorkspaceResourceID=<log-analytics-workspace-resource-id> auditLogPath=<your-auditlog-path>
   

Resource Manager

Use Azure Resource Manager to deploy the Defender extension

To use Azure Resource Manager to deploy the Defender extension, you'll need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

You can use the azure-defender-extension-arm-template.json Resource Manager template from Defender for Cloud's installation examples.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?

REST API

Use REST API to deploy the Defender extension

To use the REST API to deploy the Defender extension, you'll need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

Tip

The simplest way to use the API to deploy the Defender extension is with the supplied Postman Collection JSON example from Defender for Cloud's installation examples.

• To modify the Postman Collection JSON, or to manually deploy the extension with the REST API, run the following PUT command:

  PUT https://management.azure.com/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview
  

  Where:

  Name	In	Required	Type	Description
  Subscription ID	Path	True	String	Your Azure Arc-enabled Kubernetes resource's subscription ID
  Resource Group	Path	True	String	Name of the resource group containing your Azure Arc-enabled Kubernetes resource
  Cluster Name	Path	True	String	Name of your Azure Arc-enabled Kubernetes resource

  For Authentication, your header must have a Bearer token (as with other Azure APIs). To get a bearer token, run the following command:

  az account get-access-token --subscription <your-subscription-id> Use the following structure for the body of your message:

  { 
  "properties": { 
      "extensionType": "microsoft.azuredefender.kubernetes",
  "con    figurationSettings": { 
          "logAnalytics.workspaceId":"YOUR-WORKSPACE-ID"
      // ,    "auditLogPath":"PATH/TO/AUDITLOG"
      },
      "configurationProtectedSettings": {
          "logAnalytics.key":"YOUR-WORKSPACE-KEY"
      }
      }
  } 
  

  Description of the properties is given below:

  Property	Description
  logAnalytics.workspaceId	Workspace ID of the Log Analytics resource
  logAnalytics.key	Key of the Log Analytics resource
  auditLogPath	Optional. The full path to the audit log files. The default value is /var/log/kube-apiserver/audit.log

Verify the deployment

To verify that your cluster has the Defender extension installed on it, follow the steps in one of the tabs below:

Azure portal - Defender for Cloud

Use Defender for Cloud recommendation to verify the status of your extension

1. From Microsoft Defender for Cloud's recommendations page, open the Enable Microsoft Defender for Cloud security control.

2. Select the recommendation named Azure Arc-enabled Kubernetes clusters should have Microsoft Defender for Cloud's extension installed.

   

3. Check that the cluster on which you deployed the extension is listed as Healthy.

Azure portal - Azure Arc

Use the Azure Arc pages to verify the status of your extension

1. From the Azure portal, open Azure Arc.

2. From the infrastructure list, select Kubernetes clusters and then select the specific cluster.

3. Open the extensions page. The extensions on the cluster are listed. To confirm whether the Defender extension was installed correctly, check the Install status column.

   

4. For more details, select the extension.

   

Azure CLI

Use Azure CLI to verify that the extension is deployed

1. Run the following command on Azure CLI:

   az k8s-extension show --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes
   

2. In the response, look for "extensionType": "microsoft.azuredefender.kubernetes" and "installState": "Installed".

   Note

   It might show "installState": "Pending" for the first few minutes.

3. If the state shows Installed, run the following command on your machine with the kubeconfig file pointed to your cluster to check that a pod called "azuredefender-XXXXX" is in 'Running' state:

   kubectl get pods -n azuredefender
   

REST API

Use the REST API to verify that the extension is deployed

To confirm a successful deployment, or to validate the status of your extension at any time:

1. Run the following GET command:

   GET https://management.azure.com/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview
   

2. In the response, look in "extensionType": "microsoft.azuredefender.kubernetes" for "installState": "Installed".

   Tip

   It might show "installState": "Pending" for the first few minutes.

3. If the state shows Installed, run the following command on your machine with the kubeconfig file pointed to your cluster to check that a pod called "azuredefender-XXXXX" is in 'Running' state:

   kubectl get pods -n azuredefender
   

Protect Amazon Elastic Kubernetes Service clusters

Important

If you haven't already connected an AWS account, connect your AWS accounts to Microsoft Defender for Cloud.

To protect your EKS clusters, enable the Containers plan on the relevant account connector:

1. From Defender for Cloud's menu, open Environment settings.

2. Select the AWS connector.

   

3. Set the toggle for the Containers plan to On.

   

4. (Optional) To change the retention period for your audit logs, select Configure, enter the required timeframe, and select Save.

   

   Note

   If you disable this configuration, then the Threat detection (control plane) feature will be disabled. Learn more about features availability.

5. (Optional) Enable vulnerability scanning of your ECR images. Learn more about vulnerability assessment for ECR images.

6. Continue through the remaining pages of the connector wizard.

7. Azure Arc-enabled Kubernetes, the Defender extension, and the Azure Policy extension should be installed and running on your EKS clusters. There is a dedicated Defender for Cloud recommendations to install these extensions (and Azure Arc if necessary):

   • EKS clusters should have Microsoft Defender's extension for Azure Arc installed

   For each of the recommendations, follow the steps below to install the required extensions.

   To install the required extensions:

   1. From Defender for Cloud's Recommendations page, search for one of the recommendations by name.

   2. Select an unhealthy cluster.

      Important

      You must select the clusters one at a time.

      Don't select the clusters by their hyperlinked names: select anywhere else in the relevant row.

   3. Select Fix.

   4. Defender for Cloud generates a script in the language of your choice: select Bash (for Linux) or PowerShell (for Windows).

   5. Select Download remediation logic.

   6. Run the generated script on your cluster.

   7. Repeat steps "a" through "f" for the second recommendation.

   

View recommendations and alerts for your EKS clusters

Tip

You can simulate container alerts by following the instructions in this blog post.

To view the alerts and recommendations for your EKS clusters, use the filters on the alerts, recommendations, and inventory pages to filter by resource type AWS EKS cluster.

Protect Google Kubernetes Engine (GKE) clusters

Important

If you haven't already connected a GCP project, connect your GCP projects to Microsoft Defender for Cloud.

To protect your GKE clusters, you'll need to enable the Containers plan on the relevant GCP project.

To protect Google Kubernetes Engine (GKE) clusters:

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Environment settings.

3. Select the relevant GCP connector

   

4. Select the Next: Select plans > button.

5. Ensure that the Containers plan is toggled to On.

   

6. (Optional) Configure the containers plan.

7. Select the Copy button.

   

8. Select the GCP Cloud Shell > button.

9. Paste the script into the Cloud Shell terminal, and run it.

The connector will update after the script executes. This process can take up to 6-8 hours up to complete.

Deploy the solution to specific clusters

If you disabled any of the default auto provisioning configurations to Off, during the GCP connector onboarding process, or afterwards. You'll need to manually install Azure Arc-enabled Kubernetes, the Defender extension, and the Azure Policy extensions to each of your GKE clusters to get the full security value out of Defender for Containers.

There are 2 dedicated Defender for Cloud recommendations you can use to install the extensions (and Arc if necessary):

• GKE clusters should have Microsoft Defender's extension for Azure Arc installed
• GKE clusters should have the Azure Policy extension installed

To deploy the solution to specific clusters:

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Recommendations.

3. From Defender for Cloud's Recommendations page, search for one of the recommendations by name.

   

4. Select an unhealthy GKE cluster.

   Important

   You must select the clusters one at a time.

   Don't select the clusters by their hyperlinked names: select anywhere else in the relevant row.

5. Select the name of the unhealthy resource.

6. Select Fix.

   

7. Defender for Cloud will generate a script in the language of your choice:

   • For Linux, select Bash.
   • For Windows, select PowerShell.

8. Select Download remediation logic.

9. Run the generated script on your cluster.

10. Repeat steps 3 through 8 for the second recommendation.

View your GKE cluster alerts

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Security alerts.

3. Select the button.

4. In the Filter dropdown menu, select Resource type.

5. In the Value dropdown menu, select GCP GKE Cluster.

6. Select Ok.

Simulate security alerts from Microsoft Defender for Containers

A full list of supported alerts is available in the reference table of all Defender for Cloud security alerts.

1. To simulate a security alert, run the following command from the cluster:

   kubectl get pods --namespace=asc-alerttest-662jfi039n
   

   The expected response is "No resource found".

   Within 30 minutes, Defender for Cloud will detect this activity and trigger a security alert.

2. In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:

   

Remove the Defender extension

To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning:

• Enabling auto provisioning, potentially impacts existing and future machines.
• Disabling auto provisioning for an extension, only affects the future machines - nothing is uninstalled by disabling auto provisioning.

Nevertheless, to ensure the Defender for Containers components aren't automatically provisioned to your resources from now on, disable auto provisioning of the extensions as explained in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud.

You can remove the extension using Azure portal, Azure CLI, or REST API as explained in the tabs below.

Azure portal - Arc

Use Azure portal to remove the extension

1. From the Azure portal, open Azure Arc.

2. From the infrastructure list, select Kubernetes clusters and then select the specific cluster.

3. Open the extensions page. The extensions on the cluster are listed.

4. Select the cluster and select Uninstall.

   

Azure CLI

Use Azure CLI to remove the Defender extension

1. Remove the Microsoft Defender for Kubernetes Arc extension with the following commands:

   az login
   az account set --subscription <subscription-id>
   az k8s-extension delete --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes --yes
   

   Removing the extension may take a few minutes. We recommend you wait before you try to verify that it was successful.

2. To verify that the extension was successfully removed, run the following commands:

   az k8s-extension show --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes
   

   There should be no delay in the extension resource getting deleted from Azure Resource Manager. After that, validate that there are no pods called "azuredefender-XXXXX" on the cluster by running the following command with the kubeconfig file pointed to your cluster:

   kubectl get pods -A --selector app=defender
   

   It might take a few minutes for the pods to be deleted.

REST API

Use REST API to remove the Defender extension

To remove the extension using the REST API, run the following DELETE command:

DELETE https://management.azure.com/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

Name	In	Required	Type	Description
Subscription ID	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's subscription ID
Resource Group	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's resource group
Cluster Name	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's name

For Authentication, your header must have a Bearer token (as with other Azure APIs). To get a bearer token, run the following command:

az account get-access-token --subscription <your-subscription-id>

The request may take several minutes to complete.

Default Log Analytics workspace for AKS

The Log Analytics workspace is used by the Defender profile as a data pipeline to send data from the cluster to Defender for Cloud without retaining any data in the Log Analytics workspace itself. As a result, users won't be billed in this use case.

The Defender profile uses a default Log Analytics workspace. If you don't already have a default Log Analytics workspace, Defender for Cloud will create a new resource group and default workspace when the Defender profile is installed. The default workspace is created based on your region.

The naming convention for the default Log Analytics workspace and resource group is:

• Workspace: DefaultWorkspace-[subscription-ID]-[geo]
• Resource Group: DefaultResourceGroup-[geo]

Assign a custom workspace

When you enable the auto-provision option, a default workspace will be automatically assigned. You can assign a custom workspace through Azure Policy.

To check if you have a workspace assigned:

1. Sign in to the Azure portal.

2. Search for and select Policy.

   

3. Select Definitions.

4. Search for policy ID 64def556-fbad-4622-930e-72d1d5589bf5.

   

5. Select Configure Azure Kubernetes Service clusters to enable Defender profile.

6. Select Assignment.

   

7. Follow the Create a new assignment with custom workspace steps if the policy hasn't yet been assigned to the relevant scope. Or, follow the Update assignment with custom workspace steps if the policy is already assigned and you want to change it to use a custom workspace.

Create a new assignment with custom workspace

If the policy hasn't been assigned, you'll see Assignments (0).

To assign custom workspace:

1. Select Assign.

2. In the Parameters tab, deselect the Only show parameters that need input or review option.

3. Select a LogAnalyticsWorkspaceResource ID from the dropdown menu.

   

4. Select Review + create.

5. Select Create.

Update assignment with custom workspace

If the policy has already been assigned to a workspace, you'll see Assignments (1).

Note

If you have more than one subscription the number may be higher.

To assign custom workspace:

1. Select the relevant assignment.

   

2. Select Edit assignment.

3. In the Parameters tab, deselect the Only show parameters that need input or review option.

4. Select a LogAnalyticsWorkspaceResource ID from the dropdown menu.

   

5. Select Review + create.

6. Select Create.

Default Log Analytics workspace for Arc

The Log Analytics workspace is used by the Defender extension as a data pipeline to send data from the cluster to Defender for Cloud without retaining any data in the Log Analytics workspace itself. As a result, users won't be billed in this use case.

The Defender extension uses a default Log Analytics workspace. If you don't already have a default Log Analytics workspace, Defender for Cloud will create a new resource group and default workspace when the Defender extension is installed. The default workspace is created based on your region.

The naming convention for the default Log Analytics workspace and resource group is:

• Workspace: DefaultWorkspace-[subscription-ID]-[geo]
• Resource Group: DefaultResourceGroup-[geo]

Assign a custom workspace

When you enable the auto-provision option, a default workspace will be automatically assigned. You can assign a custom workspace through Azure Policy.

To check if you have a workspace assigned:

1. Sign in to the Azure portal.

2. Search for, and select Policy.

   

3. Select Definitions.

4. Search for policy ID 708b60a6-d253-4fe0-9114-4be4c00f012c.

   

5. Select Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension..

6. Select Assignments.

   

7. Follow the Create a new assignment with custom workspace steps if the policy hasn't yet been assigned to the relevant scope. Or, follow the Update assignment with custom workspace steps if the policy is already assigned and you want to change it to use a custom workspace.

Create a new assignment with custom workspace

If the policy hasn't been assigned, you'll see Assignments (0).

To assign custom workspace:

1. Select Assign.

2. In the Parameters tab, deselect the Only show parameters that need input or review option.

3. Select a LogAnalyticsWorkspaceResource ID from the dropdown menu.

   

4. Select Review + create.

5. Select Create.

Update assignment with custom workspace

If the policy has already been assigned to a workspace, you'll see Assignments (1).

Note

If you have more than one subscription the number may be higher. If you have a number 1 or higher, the assignment may still not be on the relevant scope. If this is the case, you will want to follow the Create a new assignment with custom workspace steps.

To assign custom workspace:

1. Select the relevant assignment.

   

2. Select Edit assignment.

3. In the Parameters tab, deselect the Only show parameters that need input or review option.

4. Select a LogAnalyticsWorkspaceResource ID from the dropdown menu.

   

5. Select Review + create.

6. Select Create.

Remove the Defender profile

To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning:

• Enabling auto provisioning, potentially impacts existing and future machines.
• Disabling auto provisioning for an extension, only affects the future machines - nothing is uninstalled by disabling auto provisioning.

Nevertheless, to ensure the Defender for Containers components aren't automatically provisioned to your resources from now on, disable auto provisioning of the extensions as explained in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud.

You can remove the profile using the REST API or a Resource Manager template as explained in the tabs below.

REST API

Use REST API to remove the Defender profile from AKS

To remove the profile using the REST API, run the following PUT command:

https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}

Name	Description	Mandatory
SubscriptionId	Cluster's subscription ID	Yes
ResourceGroup	Cluster's resource group	Yes
ClusterName	Cluster's name	Yes
ApiVersion	API version, must be >= 2022-06-01	Yes

Request body:

{
  "location": "{{Location}}",
  "properties": {
    "securityProfile": {
            "defender": {
                "securityMonitoring": {
                    "enabled": false
                }
            }
        }
    }
}

Request body parameters:

Name	Description	Mandatory
location	Cluster's location	Yes
properties.securityProfile.defender.securityMonitoring.enabled	Determines whether to enable or disable Microsoft Defender for Containers on the cluster	Yes

Azure CLI

Use Azure CLI to remove the Defender profile

1. Remove the Microsoft Defender for with the following commands:

   az login
   az account set --subscription <subscription-id>
   az aks update --disable-defender --resource-group <your-resource-group> --name <your-cluster-name>
   

   Removing the profile may take a few minutes.

2. To verify that the profile was successfully removed, run the following command:

   kubectl get pods -n azuredefender
   

   When the profile is removed, you should see that no pods are returned in the get pods command. It might take a few minutes for the pods to be deleted.

Resource Manager

Use Azure Resource Manager to remove the Defender profile from AKS

To use Azure Resource Manager to remove the Defender profile, you'll need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?

The relevant template and parameters to remove the Defender profile from AKS are:

{ 
    "type": "Microsoft.ContainerService/managedClusters", 
    "apiVersion": "2022-06-01", 
    "name": "string", 
    "location": "string",
    "properties": {
        …
        "securityProfile": { 
            "defender": { 
                "securityMonitoring": {
                    "enabled": false
                }
            }
        }
    }
}

FAQ

• How can I use my existing Log Analytics workspace?
• Can I delete the default workspaces created by Defender for Cloud?
• I deleted my default workspace, how can I get it back?
• Where is the default Log Analytics workspace located?
• My organization requires me to tag my resources, and required extension didn't get installed, what went wrong?

How can I use my existing Log Analytics workspace?

You can use your existing Log Analytics workspace by following the steps in the Assign a custom workspace workspace section of this article.

Can I delete the default workspaces created by Defender for Cloud?

We don't recommend deleting the default workspace. Defender for Containers uses the default workspaces to collect security data from your clusters. Defender for Containers will be unable to collect data, and some security recommendations and alerts, will become unavailable if you delete the default workspace.

I deleted my default workspace, how can I get it back?

To recover your default workspace, you need to remove the Defender profile/extension, and reinstall the agent. Reinstalling the Defender profile/extension creates a new default workspace.

Where is the default Log Analytics workspace located?

Depending on your region, the default Log Analytics workspace located will be located in various locations. To check your region see Where is the default Log Analytics workspace created?

My organization requires me to tag my resources, and required extension didn't get installed, what went wrong?

The Defender agent uses the Log analytics workspace to send data from your Kubernetes clusters to Defender for Cloud. The Defender for Cloud adds the Log analytic workspace and the resource group as a parameter for the agent to use.

However, if your organization has a policy that requires a specific tag on your resources, it may cause the extension installation to fail during the resource group or the default workspace creation stage. If it fails, you can either:

• Assign a custom workspace and add any tag your organization requires.

  or

• If your company requires you to tag your resource, you should navigate to that policy and exclude the following resources:

  1. The resource group DefaultResourceGroup-<RegionShortCode>
  2. The Workspace DefaultWorkspace-<sub-id>-<RegionShortCode>

  RegionShortCode is a 2-4 letters string.

Learn More

You can check out the following blogs:

• Protect your Google Cloud workloads with Microsoft Defender for Cloud
• Introducing Microsoft Defender for Containers
• A new name for multicloud security: Microsoft Defender for Cloud

Next steps

Now that you enabled Defender for Containers, you can:

• Scan your ACR images for vulnerabilities
• Scan your Amazon AWS ECR images for vulnerabilities