Configure Microsoft Defender for Containers components

Microsoft Defender for Containers is the cloud-native solution for securing your containers. It helps protect your clusters whether they're running in:

• Azure Kubernetes Service (AKS): Microsoft's managed service for developing, deploying, and managing containerized applications.

• Amazon Elastic Kubernetes Service (EKS) in a connected Amazon Web Services (AWS) account: Amazon's managed service for running Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

• Google Kubernetes Engine (GKE) in a connected Google Cloud Platform (GCP) project: Google's managed environment for deploying, managing, and scaling applications by using GCP infrastructure.

• Other Kubernetes distributions (using Azure Arc-enabled Kubernetes): Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on infrastructure as a service (IaaS). For more information, see Containers support matrix in Defender for Cloud.

You can first learn how to connect and help protect your containers in these articles:

• Protect your Azure containers with Defender for Containers
• Protect your on-premises Kubernetes clusters with Defender for Containers
• Protect your Amazon Web Services (AWS) containers with Defender for Containers
• Protect your Google Cloud Platform (GCP) containers with Defender for Containers

You can also learn more by watching these videos from the Defender for Cloud in the field video series:

• Microsoft Defender for Containers in a multicloud environment
• Protecting containers in GCP with Defender for Containers

Note

Defender for Containers support for Azure Arc-enabled Kubernetes clusters is a preview feature. The preview feature is available on a self-service, opt-in basis.

Previews are provided as is and as available. They're excluded from the service-level agreements and the limited warranty.

To learn more about the supported operating systems, feature availability, outbound proxy, and more, see Containers support matrix in Defender for Cloud.

Network requirements

Validate that the following endpoints are configured for outbound access so that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.

The Defender sensor must connect to the configured Azure Monitor Log Analytics workspace. By default, AKS clusters have unrestricted outbound (egress) internet access. If event egress from the cluster requires the use of an Azure Monitor Private Link Scope (AMPLS), you must:

• Define the cluster with Container insights and a Log Analytics workspace.
• Configure the AMPLS with query access mode and ingestion access mode set to Open.
• Define the cluster's Log Analytics workspace as a resource in the AMPLS.
• Create in the AMPLS a virtual network private endpoint between the virtual network of the cluster and the Log Analytics resource. The virtual network private endpoint integrates with a private DNS zone.

For instructions, refer to Create an Azure Monitor Private Link Scope.

Network requirements

Validate that the following endpoints for public cloud deployments are configured for outbound access. Configuring them for outbound access helps ensure that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events.

Azure domain	Azure Government domain	Azure operated by 21Vianet domain	Port
*.ods.opinsights.azure.com	*.ods.opinsights.azure.us	*.ods.opinsights.azure.cn	443
*.oms.opinsights.azure.com	*.oms.opinsights.azure.us	*.oms.opinsights.azure.cn	443
login.microsoftonline.com	login.microsoftonline.us	login.chinacloudapi.cn	443

You also need to validate the Azure Arc-enabled Kubernetes network requirements.

Enable the plan

1. In Defender for Cloud, select Settings, and then select the relevant subscription.

2. On the Defender plans page, select Containers > Settings.

   

   Tip

   If the subscription already has Defender for Kubernetes or Defender for container registries enabled, an update notice appears. Otherwise, the only option is Containers.

   

3. Turn on the relevant component.

   

   Note

   • Defender for Containers customers who joined before August 2023 and don't have Agentless discovery for Kubernetes turned on as part of Defender cloud security posture management (CSPM) when they enabled the plan must manually enable the Agentless discovery for Kubernetes extension within the Defender for Containers plan.
   • When you turn off Defender for Containers, the components are set to Off. They're not deployed to any more containers, but they're not removed from containers where they're already installed.

Enablement method per capability

By default, when you enable the plan through the Azure portal, Microsoft Defender for Containers is configured to automatically enable all capabilities and install all required components to provide the protections that the plan offers. This configuration includes the assignment of a default workspace.

If you don't want to enable all capabilities of the plans, you can manually select which specific capabilities to enable by selecting Edit configuration for the Containers plan. Then, on the Settings & monitoring page, select the capabilities that you want to enable. You can also modify this configuration from the Defender plans page after initial configuration of the plan.

For detailed information on the enablement method for each capability, see the support matrix.

Roles and permissions

Learn more about the roles for provisioning Defender for Containers extensions.

Assigning a custom workspace for the Defender sensor

You can assign a custom workspace through Azure Policy.

Manual deployment of the Defender sensor or Azure policy agent without automatic provisioning by using recommendations

Capabilities that require sensor installation can also be deployed on one or more Kubernetes clusters. Use the appropriate recommendation:

Sensor	Recommendation
Defender sensor for Kubernetes	Azure Kubernetes Service clusters should have Defender profile enabled
Defender sensor for Azure Arc-enabled Kubernetes	Azure Arc-enabled Kubernetes clusters should have the Defender extension installed
Azure Policy agent for Kubernetes	Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
Azure Policy agent for Azure Arc-enabled Kubernetes	Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed

To deploy the Defender sensor on specific clusters:

1. On the Microsoft Defender for Cloud Recommendations page, open the Enable enhanced security security control or search for one of the preceding recommendations. (You can also use the preceding links to open the recommendation directly.)

2. View all clusters without a sensor by opening the Unhealthy tab.

3. Select the clusters where you want to deploy the sensor, and then select Fix.

4. Select Fix X resources.

Deploy the Defender sensor: All options

You can enable the Defender for Containers plan and deploy all of the relevant components by using the Azure portal, the REST API, or an Azure Resource Manager template. For detailed steps, select the relevant tab.

After the Defender sensor is deployed, a default workspace is automatically assigned. You can assign a custom workspace in place of the default workspace through Azure Policy.

Note

The Defender sensor is deployed to each node to provide the runtime protections and collect signals from those nodes by using eBPF technology.

Azure portal

Use the Fix button from the Defender for Cloud recommendation

You can use Azure portal pages to enable the Defender for Cloud plan and set up automatic provisioning of all the necessary components for defending your Kubernetes clusters at scale. The process is streamlined.

A dedicated Defender for Cloud recommendation provides:

• Visibility into which of your clusters has the Defender sensor deployed.
• A Fix button to deploy the sensor to clusters that don't have it.

To deploy the sensor:

1. On the Microsoft Defender for Cloud Recommendations page, open the Enable enhanced security security control.

2. Use the filter to find the recommendation named Azure Kubernetes Service clusters should have Defender profile enabled.

   Tip

   Notice the Fix icon in the Actions column.

3. Select the clusters to see the details of the healthy and unhealthy resources (clusters with and without the sensor).

4. In the list of unhealthy resources, select a cluster. Then select Remediate to open the pane with the remediation confirmation.

5. Select Fix X resources.

REST API

Use the REST API to deploy the Defender sensor

To install securityProfile on an existing cluster by using the REST API, run the following PUT command:

PUT https://management.azure.com/subscriptions/{{Subscription ID}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

Here's the request URI:

https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}

The request query has these parameters:

Name	Description	Mandatory
SubscriptionId	Cluster's subscription ID	Yes
ResourceGroup	Cluster's resource group	Yes
ClusterName	Cluster's name	Yes
ApiVersion	API version; must be 2022-06-01 or later	Yes

This is the request body:

{
  "location": "{{Location}}",
  "properties": {
    "securityProfile": {
            "defender": {
                "logAnalyticsWorkspaceResourceId": "{{LAWorkspaceResourceId}}",
                "securityMonitoring": {
                    "enabled": true,
                }
            }
        }
    }
}

The request body has these parameters:

Name	Description	Mandatory
location	Cluster's location	Yes
properties.securityProfile.defender.securityMonitoring.enabled	Determines whether to enable or disable Microsoft Defender for Containers on the cluster	Yes
properties.securityProfile.defender.logAnalyticsWorkspaceResourceId	Azure resource ID for the Log Analytics workspace	Yes

Azure CLI

Use the Azure CLI to deploy the Defender sensor

1. Sign in to Azure:

   az login
   az account set --subscription <your-subscription-id>
   

   Important

   Ensure that you use the same subscription ID for <your-subscription-id> as the one that's associated with your AKS cluster.

2. Enable the Defender sensor on your containers:

   • Run the following command to create a new cluster with the Defender sensor enabled:

     az aks create --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>
     

   • Run the following command to enable the Defender sensor on an existing cluster:

     az aks update --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>
     

   Here are the supported configuration settings on the Defender sensor type:

   Property

   Description

   logAnalyticsWorkspaceResourceId

   Optional. Full resource ID of your own Log Analytics workspace. If you don't provide one, the default workspace of the region is used. To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format: az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json The Log Analytics workspace's resource ID has the following syntax: /subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name} Learn more in Log Analytics workspaces.

   You can include these settings in a JSON file and specify the JSON file in the az aks create and az aks update commands with this parameter: --defender-config <path-to-JSON-file>. The format of the JSON file must be:

   {"logAnalyticsWorkspaceResourceId": "<workspace-id>"}
   

   Learn more about AKS CLI commands in az aks.

3. To verify that the sensor was successfully added, run the following command on your machine with the kubeconfig file pointed to your cluster:

   kubectl get pods -n kube-system
   

   When the sensor is added, you should see a pod called microsoft-defender-XXXXX in the Running state. It might take a few minutes for pods to be added.

Resource Manager

Use Azure Resource Manager to deploy the Defender sensor

To use Azure Resource Manager to deploy the Defender sensor, you need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?.

To install securityProfile on an existing cluster by using Resource Manager:

{ 
    "type": "Microsoft.ContainerService/managedClusters", 
    "apiVersion": "2022-06-01", 
    "name": "string", 
    "location": "string",
    "properties": {
        …
        "securityProfile": { 
            "defender": { 
                "logAnalyticsWorkspaceResourceId": "logAnalyticsWorkspaceResourceId",
                "securityMonitoring": {
                    "enabled": true
                }
            }
        }
    }
}

Enable the plan

1. In Defender for Cloud, select Settings, and then select the relevant subscription.

2. On the Defender plans page, select Containers > Settings.

   

   Tip

   If the subscription already has Defender for Kubernetes or Defender for container registries enabled, an update notice appears. Otherwise, the only option is Containers.

   

3. Turn on the relevant component.

   

   Note

   When you turn off Defender for Containers, the components are set to Off. They're not deployed to any more containers, but they're not removed from containers where they're already installed.

By default, when you enable the plan through the Azure portal, Microsoft Defender for Containers is configured to automatically install required components to provide the protections that the plan offers. This configuration includes the assignment of a default workspace.

If you want to disable automatic installation of components during the onboarding process, select Edit configuration for the Containers plan. The advanced options appear, and you can disable automatic installation for each component.

You can also modify this configuration from the Defender plans page.

Note

If you choose to disable the plan at any time after you enable it through the portal, you'll need to manually remove Defender for Containers components deployed on your clusters.

You can assign a custom workspace through Azure Policy.

If you disable the automatic installation of any component, you can easily deploy the component to one or more clusters by using the appropriate recommendation:

• Azure Policy add-on for Kubernetes: Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed
• Azure Kubernetes Service profile: Azure Kubernetes Service clusters should have Defender profile enabled
• Defender extension for Azure Arc-enabled Kubernetes: Azure Arc-enabled Kubernetes clusters should have the Defender extension installed
• Azure Policy extension for Azure Arc-enabled Kubernetes: Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed

Learn more about the roles for provisioning Defender for Containers extensions.

Prerequisites

Before you deploy the sensor, ensure that you:

• Connect the Kubernetes cluster to Azure Arc.
• Complete the prerequisites listed in the documentation for generic cluster extensions.

Deploy the Defender sensor

You can deploy the Defender sensor by using a range of methods. For detailed steps, select the relevant tab.

Azure portal

Use the Fix button from the Defender for Cloud recommendation

A dedicated Defender for Cloud recommendation provides:

• Visibility into which of your clusters has the Defender sensor deployed.
• A Fix button to deploy the sensor to clusters that don't have it.

To deploy the sensor:

1. On the Microsoft Defender for Cloud Recommendations page, open the Enable enhanced security security control.

2. Use the filter to find the recommendation named Azure Arc-enabled Kubernetes clusters should have Microsoft Defender's extension enabled.

   

   Tip

   Notice the Fix icon in the Actions column.

3. Select the sensor to see the details of the healthy and unhealthy resources (clusters with and without the sensor).

4. In the list of unhealthy resources, select a cluster. Then select Remediate to open the pane with the remediation options.

5. Select the relevant Log Analytics workspace, and then select Remediate x resource.

   

Azure CLI

Use the Azure CLI to deploy the Defender sensor

1. Sign in to Azure:

   az login
   az account set --subscription <your-subscription-id>
   

   Important

   Ensure that you use the same subscription ID for <your-subscription-id> as the one that you used when connecting your cluster to Azure Arc.

2. Run the following command to deploy the sensor on top of your Azure Arc-enabled Kubernetes cluster:

   az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name <cluster-name> --resource-group <resource-group> --extension-type microsoft.azuredefender.kubernetes
   

   Here are the supported configuration settings on the Defender sensor type:

   Property	Description
   logAnalyticsWorkspaceResourceID	Optional. Full resource ID of your own Log Analytics workspace. If you don't provide one, the default workspace of the region is used. To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format: az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json The Log Analytics workspace resource ID has the following syntax: /subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name} Learn more in Log Analytics workspaces.
   auditLogPath	Optional. Full path to the audit log files. If you don't provide one, the default path /var/log/kube-apiserver/audit.log is used. For AKS Engine, the standard path is /var/log/kubeaudit/audit.log.

   The following command shows an example usage of all optional fields:

   az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --extension-type microsoft.azuredefender.kubernetes --configuration-settings logAnalyticsWorkspaceResourceID=<log-analytics-workspace-resource-id> auditLogPath=<your-auditlog-path>
   

Resource Manager

Use Azure Resource Manager to deploy the Defender sensor

To use Azure Resource Manager to deploy the Defender sensor, you need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

You can use the azure-defender-extension-arm-template.json Resource Manager template from the Defender for Cloud installation examples.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?.

REST API

Use the REST API to deploy the Defender sensor

To use the REST API to deploy the Defender sensor, you need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

To manually deploy the sensor by using the REST API, run the following PUT command:

PUT https://management.azure.com/subscriptions/{{Subscription ID}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

The command includes these parameters:

Name	In	Required	Type	Description
Subscription ID	Path	True	String	Your Azure Arc-enabled Kubernetes resource's subscription ID
Resource Group	Path	True	String	Name of the resource group that contains your Azure Arc-enabled Kubernetes resource
Cluster Name	Path	True	String	Name of your Azure Arc-enabled Kubernetes resource

For Authentication, your header must have a bearer token (as with other Azure APIs). To get a bearer token, run the following command:

az account get-access-token --subscription <your-subscription-id>

Use the following structure for the body of your message:

{ 
"properties": { 
    "extensionType": "microsoft.azuredefender.kubernetes",
"con    figurationSettings": { 
        "logAnalytics.workspaceId":"YOUR-WORKSPACE-ID"
    // ,    "auditLogPath":"PATH/TO/AUDITLOG"
    },
    "configurationProtectedSettings": {
        "logAnalytics.key":"YOUR-WORKSPACE-KEY"
    }
    }
} 

The message body includes these properties:

Property	Description
logAnalytics.workspaceId	Workspace ID of the Log Analytics resource.
logAnalytics.key	Key of the Log Analytics resource.
auditLogPath	Optional. Full path to the audit log files. The default value is /var/log/kube-apiserver/audit.log.

Verify the deployment

To verify that your cluster has the Defender sensor installed on it, follow the steps on one of the following tabs.

Azure portal - Defender for Cloud

Use Defender for Cloud recommendations to verify the status of your sensor

1. On the Microsoft Defender for Cloud Recommendations page, open the Enable Microsoft Defender for Cloud security control.

2. Select the recommendation named Azure Arc-enabled Kubernetes clusters should have Microsoft Defender's extension enabled.

   

3. Check that the cluster on which you deployed the sensor is listed as Healthy.

Azure portal - Azure Arc

Use the Azure Arc pages to verify the status of your sensor

1. In the Azure portal, open Azure Arc.

2. In the infrastructure list, select Kubernetes clusters, and then select the specific cluster.

3. Open the Extensions page. The page lists the extensions on the cluster. To confirm whether the Defender sensor was installed correctly, check the Install status column.

   

4. For more details, select the extension.

   

Azure CLI

Use the Azure CLI to verify that the sensor is deployed

1. Run the following command in the Azure CLI:

   az k8s-extension show --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes
   

2. In the response, look for "extensionType": "microsoft.azuredefender.kubernetes" and "installState": "Installed".

   Note

   The response might show "installState": "Pending" for the first few minutes.

3. If the state shows Installed, run the following command on your machine with the kubeconfig file pointed to your cluster. Then check that all pods under the mdc namespace are in the Running state.

   kubectl get pods -n mdc
   

REST API

Use the REST API to verify that the sensor is deployed

To confirm a successful deployment, or to validate the status of your sensor at any time:

1. Run the following GET command:

   GET https://management.azure.com/subscriptions/{{Subscription ID}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview
   

2. In the response, look in "extensionType": "microsoft.azuredefender.kubernetes" for "installState": "Installed".

   Tip

   The response might show "installState": "Pending" for the first few minutes.

3. If the state shows Installed, run the following command on your machine with the kubeconfig file pointed to your cluster. Then check that all pods under the mdc namespace are in the Running state.

   kubectl get pods -n mdc
   

Enable the plan

Important

• If you haven't connected an AWS account, connect your AWS account to Microsoft Defender for Cloud before you begin the following steps.
• If you already enabled the plan on your connector, and you want to change optional configurations or enable new capabilities, go directly to step 4.

To help protect your EKS clusters, enable the Defender for Containers plan on the relevant account connector:

1. In Defender for Cloud, open Environment settings.

2. Select the AWS connector.

   

3. Verify that the toggle for the Containers plan is set to On.

   

4. To change optional configurations for the plan, select Settings.

   

   • Defender for Containers requires control plane audit logs to provide runtime threat protection. To send Kubernetes audit logs to Microsoft Defender, set the toggle for that feature to On. To change the retention period for your audit logs, enter the required time frame.

     Note

     If you disable this configuration, the Threat detection (control plane) feature is also disabled. Learn more about feature availability.

   • The Agentless discovery for Kubernetes feature provides API-based discovery of your Kubernetes clusters. To enable the feature, set its toggle to On.

   • The Agentless Container Vulnerability Assessment feature provides vulnerability management for images stored in ECR and for running images on your EKS clusters. To enable the feature, set its toggle to On.

5. Continue through the remaining pages of the connector wizard.

6. If you're enabling the Agentless Discovery for Kubernetes feature, you need to grant control plane permissions on the cluster. You can grant permissions in one of the following ways:

   • Run this Python script. The script adds the Defender for Cloud role MDCContainersAgentlessDiscoveryK8sRole to aws-auth ConfigMap for the EKS clusters that you want to onboard.

   • Grant each Amazon EKS cluster the MDCContainersAgentlessDiscoveryK8sRole role with the ability to interact with the cluster. Sign in to all existing and newly created clusters by using eksctl and run the following script:

         eksctl create iamidentitymapping \ 
         --cluster my-cluster \ 
         --region region-code \ 
         --arn arn:aws:iam::account:role/MDCContainersAgentlessDiscoveryK8sRole \ 
         --group system:masters\ 
         --no-duplicate-arns
     

     For more information, see Grant IAM users access to Kubernetes with EKS access entries in the Amazon EKS user guide.

7. Azure Arc-enabled Kubernetes, the Defender sensor, and Azure Policy for Kubernetes should be installed and running on your EKS clusters. There's a dedicated Defender for Cloud recommendation to install these extensions (and Azure Arc, if necessary): EKS clusters should have Microsoft Defender's extension for Azure Arc installed.

   Use the following steps to install the required extensions:

   1. On the Defender for Cloud Recommendations page, search for and select the EKS clusters should have Microsoft Defender's extension for Azure Arc installed recommendation.

   2. Select an unhealthy cluster.

      Important

      You must select clusters one at a time.

      Don't select the clusters by their hyperlinked names. Select anywhere else in the relevant row.

   3. Select Fix.

   4. Defender for Cloud generates a script in the language of your choice: select Bash (for Linux) or PowerShell (for Windows).

   5. Select Download remediation logic.

   6. Run the generated script on your cluster.

   

View recommendations and alerts for your EKS clusters

Tip

You can simulate container alerts by following the instructions in this blog post.

To view the alerts and recommendations for your EKS clusters, use the filters on the alerts, recommendations, and inventory pages to filter by resource type AWS EKS Cluster.

Deploy the Defender sensor

To deploy the Defender sensor on your AWS clusters:

1. Go to Microsoft Defender for Cloud > Environment settings > Add environment > Amazon Web Services.

   

2. Fill in the account details.

   

3. Go to Select plans, open the Containers plan, and make sure Auto provision Defender's sensor for Azure Arc is set to On.

   

4. Go to Configure access and follow the steps there.

   

5. After the Cloud Formation template is deployed successfully, select Create.

Note

You can exclude a specific AWS cluster from automatic provisioning. For sensor deployment, apply the ms_defender_container_exclude_agents tag on the resource with the value true. For agentless deployment, apply the ms_defender_container_exclude_agentless tag on the resource with the value true.

Enable the plan

Important

If you haven't connected a GCP project, connect your GCP project to Microsoft Defender for Cloud.

To help protect your GKE clusters, use the following steps to enable the Defender for Containers plan on the relevant GCP project.

Note

Verify that you don't have any Azure policies that prevent the Azure Arc installation.

1. Sign in to the Azure portal.

2. Go to Microsoft Defender for Cloud > Environment settings.

3. Select the relevant GCP connector.

   

4. Select the Next: Select plans > button.

5. Ensure that the toggle for the Containers plan is On.

   

6. To change optional configurations for the plan, select Settings.

   

   • Kubernetes audit logs to Defender for Cloud: Enabled by default. This configuration is available at the GCP project level only. It provides agentless collection of the audit log data through GCP Cloud Logging to the Microsoft Defender for Cloud back end for further analysis. Defender for Containers requires control plane audit logs to provide runtime threat protection. To send Kubernetes audit logs to Microsoft Defender, set the toggle to On.

     Note

     If you disable this configuration, the Threat detection (control plane) feature is also disabled. Learn more about feature availability.

   • Auto provision Defender's sensor for Azure Arc and Auto provision Azure Policy extension for Azure Arc: Enabled by default. You can install Azure Arc-enabled Kubernetes and its extensions on your GKE clusters in three ways:

     • Enable Defender for Containers automatic provisioning at the project level, as explained in the instructions in this section. We recommend this method.
     • Use Defender for Cloud recommendations for per-cluster installation. They appear on the Microsoft Defender for Cloud Recommendations page. Learn how to deploy the solution to specific clusters.
     • Manually install Azure Arc-enabled Kubernetes and extensions.

   • The Agentless discovery for Kubernetes feature provides API-based discovery of your Kubernetes clusters. To enable the feature, set its toggle to On.

   • The Agentless Container Vulnerability Assessment feature provides vulnerability management for images stored in Google registries (Google Artifact Registry and Google Container Registry) and running images on your GKE clusters. To enable the feature, set its toggle to On.

7. Select the Copy button.

   

8. Select the GCP Cloud Shell > button.

9. Paste the script into the Cloud Shell terminal and run it.

The connector is updated after the script runs. This process can take up to 8 hours to finish.

Deploy the solution to specific clusters

If you set any of the default automatic provisioning configurations to Off during the GCP connector onboarding process or afterward, you need to manually install Azure Arc-enabled Kubernetes, the Defender sensor, and Azure Policy for Kubernetes in each of your GKE clusters. Installing them helps ensure that you get the full security value out of Defender for Containers.

You can use two dedicated Defender for Cloud recommendations to install the extensions (and Azure Arc, if necessary):

• GKE clusters should have Microsoft Defender's extension for Azure Arc installed
• GKE clusters should have the Azure Policy extension installed

Note

When you're installing Arc extensions, you must verify that the provided GCP project is identical to the one in the relevant connector.

To deploy the solution to specific clusters:

1. Sign in to the Azure portal.

2. Go to Microsoft Defender for Cloud > Recommendations.

3. On the Defender for Cloud Recommendations page, search for one of the recommendations by name.

   

4. Select an unhealthy GKE cluster.

   Important

   You must select clusters one at a time.

   Don't select the clusters by their hyperlinked names. Select anywhere else in the relevant row.

5. Select the name of the unhealthy resource.

6. Select Fix.

   

7. Defender for Cloud generates a script in the language of your choice:

   • For Linux, select Bash.
   • For Windows, select PowerShell.

8. Select Download remediation logic.

9. Run the generated script on your cluster.

10. Repeat steps 3 through 8 for the other recommendation.

View your GKE cluster alerts

1. Sign in to the Azure portal.

2. Go to Microsoft Defender for Cloud > Security alerts.

3. Select the button.

4. On the Filter dropdown menu, select Resource type.

5. On the Value dropdown menu, select GCP GKE Cluster.

6. Select Ok.

Deploy the Defender sensor

To deploy the Defender sensor on your GCP clusters:

1. Go to Microsoft Defender for Cloud > Environment settings > Add environment > Google Cloud Platform.

   

2. Fill in the account details.

   

3. Go to Select plans, open the Containers plan, and make sure Auto provision Defender's sensor for Azure Arc is set to On.

   

4. Go to Configure access and follow the steps there.

   

5. After the gcloud script runs successfully, select Create.

Note

You can exclude a specific GCP cluster from automatic provisioning. For sensor deployment, apply the ms_defender_container_exclude_agents label on the resource with the value true. For agentless deployment, apply the ms_defender_container_exclude_agentless label on the resource with the value true.

Simulate security alerts from Microsoft Defender for Containers

A full list of supported alerts is available in the reference table of all Defender for Cloud security alerts.

To simulate a security alert:

1. Run the following command from the cluster:

   kubectl get pods --namespace=asc-alerttest-662jfi039n
   

   The expected response is No resource found.

   Within 30 minutes, Defender for Cloud detects this activity and triggers a security alert.

   Note

   Azure Arc isn't a prerequisite for simulating agentless alerts for Defender for Containers.

2. In the Azure portal, go to Microsoft Defender for Cloud > Security alerts and look for the alert on the relevant resource.

   

Remove the Defender sensor

To remove this (or any) Defender for Cloud extension, it's not enough to turn off automatic provisioning:

• Enabling automatic provisioning potentially affects existing and future machines.
• Disabling automatic provisioning for an extension affects only the future machines. Nothing is uninstalled when you disable automatic provisioning.

Note

To disable the Defender for Containers plan entirely, go to Environment settings and turn off Microsoft Defender for Containers.

Nevertheless, to ensure that the Defender for Containers components aren't automatically provisioned to your resources from now on, disable automatic provisioning of the extensions.

You can remove the extension from currently running machines by using the Azure portal, the Azure CLI, or the REST API, as explained on the following tabs.

Azure portal - Arc

Use the Azure portal to remove the extension

1. In the Azure portal, open Azure Arc.

2. In the infrastructure list, select Kubernetes clusters, and then select the specific cluster.

3. Open the Extensions page, which lists extensions on the cluster.

4. Select the extension, and then select Uninstall.

   

Azure CLI

Use the Azure CLI to remove the Defender sensor

1. Remove the Azure Arc extension for Microsoft Defender for Kubernetes by using the following commands:

   az login
   az account set --subscription <subscription-id>
   az k8s-extension delete --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes --yes
   

   Removing the extension might take a few minutes. We recommend that you wait before you try to verify that it was successful.

2. To verify that you successfully removed the extension, run the following commands:

   az k8s-extension show --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes
   

3. Validate that there are no pods under the mdc namespace on the cluster. Run the following command with the kubeconfig file pointed to your cluster:

   kubectl get pods -n mdc
   

   Deletion of the pods might take a few minutes.

REST API

Use the REST API to remove the Defender sensor

To remove the extension by using the REST API, run the following DELETE command:

DELETE https://management.azure.com/subscriptions/{{Subscription ID}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

The command includes these parameters:

Name	In	Required	Type	Description
Subscription ID	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's subscription ID
Resource Group	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's resource group
Cluster Name	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's name

For Authentication, your header must have a bearer token (as with other Azure APIs). To get a bearer token, run the following command:

az account get-access-token --subscription <your-subscription-id>

The request might take several minutes to complete.

Set a default Log Analytics workspace for AKS

The Defender sensor uses the Log Analytics workspace as a data pipeline to send data from the cluster to Defender for Cloud. The workspace doesn't retain any of the data. As a result, users aren't billed in this use case.

The Defender sensor uses a default Log Analytics workspace. If you don't have a default Log Analytics workspace, Defender for Cloud creates a new resource group and default workspace when you install the Defender sensor. The default workspace is based on your region.

The naming convention for the default Log Analytics workspace and resource group is:

• Workspace: DefaultWorkspace-[subscription-ID]-[geo]
• Resource group: DefaultResourceGroup-[geo]

Assign a custom workspace

When you enable automatic provisioning, a default workspace is automatically assigned. You can assign a custom workspace through Azure Policy.

To check if you have a workspace assigned:

1. Sign in to the Azure portal.

2. Search for and select Policy.

   

3. Select Definitions.

4. Search for policy ID 64def556-fbad-4622-930e-72d1d5589bf5.

   

5. Select Configure Azure Kubernetes Service clusters to enable Defender profile.

6. Select Assignments.

   

7. Use one of the next sections in this article as follows:

   • If the policy isn't yet assigned to the relevant scope, follow the Create a new assignment with a custom workspace steps.
   • If the policy is already assigned and you want to change it to use a custom workspace, follow the Update an assignment with a custom workspace steps.

Create a new assignment with a custom workspace

If the policy isn't yet assigned, the Assignments tab shows the number 0.

To assign a custom workspace:

1. Select Assign.

2. On the Parameters tab, clear the Only show parameters that need input or review option.

3. Select a LogAnalyticsWorkspaceResourceId value from the dropdown menu.

   

4. Select Review + create.

5. Select Create.

Update an assignment with a custom workspace

If the policy is assigned to a workspace, the Assignments tab shows the number 1.

Note

If you have more than one subscription, the number might be higher.

To assign a custom workspace:

1. Select the relevant assignment.

   

2. Select Edit assignment.

3. On the Parameters tab, clear the Only show parameters that need input or review option.

4. Select a LogAnalyticsWorkspaceResourceId value from the dropdown menu.

   

5. Select Review + save.

6. Select Save.

Default Log Analytics workspace for Azure Arc

The Defender sensor uses the Log Analytics workspace as a data pipeline to send data from the cluster to Defender for Cloud. The workspace doesn't retain any of the data. As a result, users aren't billed in this use case.

The Defender sensor uses a default Log Analytics workspace. If you don't have a default Log Analytics workspace, Defender for Cloud creates a new resource group and default workspace when you install the Defender sensor. The default workspace is based on your region.

The naming convention for the default Log Analytics workspace and resource group is:

• Workspace: DefaultWorkspace-[subscription-ID]-[geo]
• Resource group: DefaultResourceGroup-[geo]

Assign a custom workspace

When you enable automatic provisioning, a default workspace is automatically assigned. You can assign a custom workspace through Azure Policy.

To check if you have a workspace assigned:

1. Sign in to the Azure portal.

2. Search for and select Policy.

   

3. Select Definitions.

4. Search for policy ID 708b60a6-d253-4fe0-9114-4be4c00f012c.

   

5. Select Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension.

6. Select Assignments.

   

7. Use one of the next sections in this article as follows:

   • If the policy isn't yet assigned to the relevant scope, follow the Create a new assignment with a custom workspace steps.
   • If the policy is already assigned and you want to change it to use a custom workspace, follow the Update an assignment with a custom workspace steps.

Create a new assignment with a custom workspace

If the policy isn't yet assigned, the Assignments tab shows the number 0.

To assign a custom workspace:

1. Select Assign.

2. On the Parameters tab, clear the Only show parameters that need input or review option.

3. Select a LogAnalyticsWorkspaceResourceId value from the dropdown menu.

   

4. Select Review + create.

5. Select Create.

Update an assignment with a custom workspace

If the policy is assigned to a workspace, the Assignments tab shows the number 1.

Note

If you have more than one subscription, the number might be higher. If you have a number 1 or higher but the assignment isn't on the relevant scope, follow the Create a new assignment with a custom workspace steps.

To assign a custom workspace:

1. Select the relevant assignment.

   

2. Select Edit assignment.

3. On the Parameters tab, clear the Only show parameters that need input or review option.

4. Select a LogAnalyticsWorkspaceResourceId value from the dropdown menu.

   

5. Select Review + save.

6. Select Save.

Remove the Defender sensor

To remove this (or any) Defender for Cloud extension, it's not enough to turn off automatic provisioning:

• Enabling automatic provisioning potentially affects existing and future machines.
• Disabling automatic provisioning for an extension affects only the future machines. Nothing is uninstalled when you disable automatic provisioning.

Note

To disable the Defender for Containers plan entirely, go to Environment settings and turn off Microsoft Defender for Containers.

Nevertheless, to ensure that the Defender for Containers components aren't automatically provisioned to your resources from now on, disable automatic provisioning of the extensions.

You can remove the extension from currently running machines by using the REST API, the Azure CLI, or a Resource Manager template, as explained on the following tabs.

REST API

Use the REST API to remove the Defender sensor from AKS

To remove the extension by using the REST API, run the following PUT command:

https://management.azure.com/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}

The command includes these parameters:

Name	Description	Mandatory
SubscriptionId	Cluster's subscription ID	Yes
ResourceGroup	Cluster's resource group	Yes
ClusterName	Cluster's name	Yes
ApiVersion	API version; must be 2022-06-01 or later	Yes

This is the request body:

{
  "location": "{{Location}}",
  "properties": {
    "securityProfile": {
            "defender": {
                "securityMonitoring": {
                    "enabled": false
                }
            }
        }
    }
}

The request body has these parameters:

Name	Description	Mandatory
location	Cluster's location	Yes
properties.securityProfile.defender.securityMonitoring.enabled	Determines whether to enable or disable Microsoft Defender for Containers on the cluster	Yes

Azure CLI

Use the Azure CLI to remove the Defender sensor

1. Run the following commands:

   az login
   az account set --subscription <subscription-id>
   az aks update --disable-defender --resource-group <your-resource-group> --name <your-cluster-name>
   

   Removing the extension might take a few minutes.

2. To verify that you successfully removed the extension, run the following command:

   kubectl get pods -n kube-system | grep microsoft-defender
   

   When the extension is removed, the get pods command doesn't return any pods. Deletion of the pods might take a few minutes.

Resource Manager

Use Azure Resource Manager to remove the Defender sensor from AKS

To use Azure Resource Manager to remove the Defender sensor, you need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?.

The relevant template and parameters to remove the Defender sensor from AKS are:

{ 
    "type": "Microsoft.ContainerService/managedClusters", 
    "apiVersion": "2022-06-01", 
    "name": "string", 
    "location": "string",
    "properties": {
        …
        "securityProfile": { 
            "defender": { 
                "securityMonitoring": {
                    "enabled": false
                }
            }
        }
    }
}

Related content

Now that you've enabled Defender for Containers, you can:

• Scan your Azure Container Registry images for vulnerabilities
• Scan your AWS images for vulnerabilities with Microsoft Defender Vulnerability Management
• Scan your GCP images for vulnerabilities with Microsoft Defender Vulnerability Management
• Check out common questions about Defender for Containers.

To learn more about Defender for Cloud and Defender for Containers, check out the following blogs:

• Protect your Google Cloud workloads with Microsoft Defender for Cloud
• Introducing Microsoft Defender for Containers
• A new name for multicloud security: Microsoft Defender for Cloud