Overview of Microsoft Defender for Containers
Microsoft Defender for Containers is the cloud-native solution to improve, monitor, and maintain the security of your clusters, containers, and their applications.
Defender for Containers assists you with four core aspects of container security:
Environment hardening - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-premises/IaaS, or Amazon EKS. Defender for Containers continuously assesses clusters to provide visibility into misconfigurations and guidelines to help mitigate identified threats.
Vulnerability assessment - Vulnerability assessment and management tools for images stored in Azure Container Registry and Elastic Container Registry
Run-time threat protection for nodes and clusters - Threat protection for clusters and nodes generates security alerts for suspicious activities.
Agentless discovery for Kubernetes - Provides tools that give you visibility into your data plane components, generating security insights based on your Kubernetes and environment configuration and lets you hunt for risks.
You can learn more by watching this video from the Defender for Cloud in the Field video series: Microsoft Defender for Containers.
Microsoft Defender for Containers plan availability
| Aspect | Details |
|---|---|
| Release state: | General availability (GA) Certain features are in preview, for a full list see the availability section. |
| Feature availability | Refer to the availability section for additional information on feature release state and availability. |
| Pricing: | Microsoft Defender for Containers is billed as shown on the pricing page |
| Required roles and permissions: | • To deploy the required components, see the permissions for each of the components • Security admin can dismiss alerts • Security reader can view vulnerability assessment findings See also Roles for remediation and Azure Container Registry roles and permissions |
| Clouds: | Azure:
Commercial clouds
National clouds (Azure Government, Microsoft Azure operated by 21Vianet) (Except for preview features))Non-Azure:
Connected AWS accounts (Preview)
Connected GCP projects (Preview)
On-prem/IaaS supported via Arc enabled Kubernetes (Preview). For more information about, see the availability section. |
Hardening
Continuous monitoring of your Kubernetes clusters - wherever they're hosted
Defender for Cloud continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues.
You can use the resource filter to review the outstanding recommendations for your container-related resources, whether in asset inventory or the recommendations page:
For details on the recommendations that might appear for this feature, check out the compute section of the recommendations reference table.
Kubernetes data plane hardening
To protect the workloads of your Kubernetes containers with tailored recommendations, you can install the Azure Policy for Kubernetes. Learn more about monitoring components for Defender for Cloud.
With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure it to enforce the best practices and mandate them for future workloads.
For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.
You can learn more about Kubernetes data plane hardening.
Vulnerability assessment
Defender for Containers scans the container images in Azure Container Registry (ACR) and Amazon AWS Elastic Container Registry (ECR) to provide vulnerability reports for your container images, providing details for each vulnerability detected, remediation guidance, real-world exploit insights, and more.
There are two solutions for vulnerability assessment in Azure, one powered by Microsoft Defender Vulnerability Management and one powered by Qualys.
Learn more about:
- Vulnerability assessments for Azure with Microsoft Defender Vulnerability Management
- Vulnerability assessment for Azure powered by Qualys
- Vulnerability assessment for Amazon AWS Elastic Container Registry (ECR)
Run-time protection for Kubernetes nodes and clusters
Defender for Containers provides real-time threat protection for supported containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
Threat protection at the cluster level is provided by the Defender agent and analysis of the Kubernetes audit logs. This means that security alerts are only triggered for actions and deployments that occur after you've enabled Defender for Containers on your subscription.
Examples of security events that Microsoft Defenders for Containers monitors include:
- Exposed Kubernetes dashboards
- Creation of high privileged roles
- Creation of sensitive mounts
You can view security alerts by selecting the Security alerts tile at the top of the Defender for Cloud's overview page, or the link from the sidebar.
The security alerts page opens.
Security alerts for runtime workload in the clusters can be recognized by the K8S.NODE_ prefix of the alert type. For a full list of the cluster level alerts, see the reference table of alerts.
Defender for Containers also includes host-level threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload.
Defender for Cloud monitors the attack surface of multicloud Kubernetes deployments based on the MITRE ATT&CK® matrix for Containers, a framework developed by the Center for Threat-Informed Defense in close partnership with Microsoft.
Agentless discovery for Kubernetes
Defender for containers uses cloud security graph to collect in an agentless manner information about your Kubernetes clusters. This data can be queried via Cloud Security Explorer and used for:
Kubernetes inventory: gain visibility into your Kubernetes clusters data plane components such as nodes, pods, and cron jobs.
Security insights: predefined security situations relevant to Kubernetes components, such as “exposed to the internet”. For more information, see Security insights.
Risk hunting: querying various risk cases, correlating predefined or custom security scenarios across fine-grained Kubernetes properties as well as Defender For Containers security insights.
Learn more
Learn more about Defender for Containers in the following blogs:
The release state of Defender for Containers is broken down by two dimensions: environment and feature. So, for example:
Kubernetes data plane recommendations for AKS clusters are GA
Kubernetes data plane recommendations for EKS clusters are preview
To view the status of the full matrix of features and environments, see Microsoft Defender for Containers feature availability.
Next steps
In this overview, you learned about the core elements of container security in Microsoft Defender for Cloud. To enable the plan, see:
- Enable Defender for Containers
- Check out common questions about Defender for Containers.
Feedback
Submit and view feedback for