Common questions about protecting containers

Get answers to common questions about protecting containers

What are the options to enable the new plan at scale?

You can use the Azure Policy Configure Microsoft Defender for Containers to be enabled, to enable Defender for Containers at scale. You can also see all of the options that are available to enable Microsoft Defender for Containers.

Does Microsoft Defender for Containers support AKS clusters with virtual machines scale sets?

Yes.

Does Microsoft Defender for Containers support AKS without scale set (default)?

No. Only Azure Kubernetes Service (AKS) clusters that use Virtual Machine Scale Sets for the nodes is supported.

Do I need to install the Log Analytics VM extension on my AKS nodes for security protection?

No, AKS is a managed service, and manipulation of the IaaS resources isn't supported. The Log Analytics VM extension isn't needed and might result in extra charges.

How can I use my existing Log Analytics workspace?

You can use your existing Log Analytics workspace by following the steps in the Assign a custom workspace workspace section of this article.

Can I delete the default workspaces created by Defender for Cloud?

We don't recommend deleting the default workspace. Defender for Containers uses the default workspaces to collect security data from your clusters. Defender for Containers will be unable to collect data, and some security recommendations and alerts, will become unavailable if you delete the default workspace.

I deleted my default workspace, how can I get it back?

To recover your default workspace, you need to remove the Defender sensor, and reinstall the sensor. Reinstalling the Defender sensor creates a new default workspace.

Where is the default Log Analytics workspace located?

Depending on your region, the default Log Analytics workspace might be located in various locations. To check your region see Where is the default Log Analytics workspace created?

My organization requires me to tag my resources, and the required sensor didn't get installed, what went wrong?

The Defender sensor uses the Log analytics workspace to send data from your Kubernetes clusters to Defender for Cloud. The Defender for Cloud adds the Log analytic workspace and the resource group as a parameter for the sensor to use.

However, if your organization has a policy that requires a specific tag on your resources, it might cause the sensor installation to fail during the resource group or the default workspace creation stage. If it fails, you can either:

  • Assign a custom workspace and add any tag your organization requires.

    or

  • If your company requires you to tag your resource, you should navigate to that policy and exclude the following resources:

    1. The resource group DefaultResourceGroup-<RegionShortCode>
    2. The Workspace DefaultWorkspace-<sub-id>-<RegionShortCode>

    RegionShortCode is a 2-4 letters string.

How does Defender for Containers scan an image?

Defender for Containers pulls the image from the registry and runs it in an isolated sandbox with Microsoft Defender Vulnerability Management for multicloud environments. The scanner extracts a list of known vulnerabilities.

Defender for Cloud filters and classifies findings from the scanner. When an image is healthy, Defender for Cloud marks it as such. Defender for Cloud generates security recommendations only for images that have issues to be resolved. By only notifying you when there are problems, Defender for Cloud reduces the potential for unwanted informational alerts.

How can I identify pull events performed by the scanner?

To identify pull events performed by the scanner, do the following steps:

  1. Search for pull events with the UserAgent of AzureContainerImageScanner.
  2. Extract the identity associated with this event.
  3. Use the extracted identity to identify pull events from the scanner.

What is the difference between Not Applicable Resources and Unverified Resources?

  • Not applicable resources are resources for which the recommendation can't give a definitive answer. The not applicable tab includes reasons for each resource that couldn't be assessed.
  • Unverified resources are resources scheduled to be assessed, but not assessed yet.

Why is Defender for Cloud alerting me to vulnerabilities about an image that isn't in my registry?

Some images might reuse tags from an image that was already scanned. For example, you might reassign the tag “Latest” every time you add an image to a digest. In such cases, the 'old' image does still exist in the registry and might still be pulled by its digest. If the image has security findings and is pulled, it will expose security vulnerabilities.

Does Defender for Containers scan images in Microsoft Container Registry?

Currently, Defender for Containers can scan images in Azure Container Registry (ACR) and AWS Elastic Container Registry (ECR) only. Docker Registry, Microsoft Artifact Registry/Microsoft Container Registry, and Microsoft Azure Red Hat OpenShift (ARO) built-in container image registry aren't supported. Images should first be imported to ACR. Learn more about importing container images to an Azure container registry.

Can I get the scan results via REST API?

Yes. The results are under Sub-Assessments REST API. Also, you can use Azure Resource Graph (ARG), the Kusto-like API for all of your resources: a query can fetch a specific scan.

How do I check which media type my containers are using?

To check an image type, you need to use a tool that can check the raw image manifest such as skopeo, and inspect the raw image format.

  • For the Docker v2 format, the manifest media type would be application/vnd.docker.distribution.manifest.v1+json or application/vnd.docker.distribution.manifest.v2+json, as documented here.
  • For the OCI image format, the manifest media type would be application/vnd.oci.image.manifest.v1+json, and config media type application/vnd.oci.image.config.v1+json, as documented here.

What are the extensions for agentless container posture management?

There are two extensions that provide agentless CSPM functionality:

  • Agentless Container vulnerability assessments: Provides agentless containers vulnerability assessments. Learn more about Agentless Container vulnerability assessment.
  • Agentless discovery for Kubernetes: Provides API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup.

How can I onboard multiple subscriptions at once?

To onboard multiple subscriptions at once, you can use this script.

Why don't I see results from my clusters?

If you don't see results from your clusters, check the following questions:

  • Do you have stopped clusters?
  • Are your resource groups, subscriptions, or clusters locked? If the answer to either of these questions is yes, see the answers in the following questions.

What can I do if I have stopped clusters?

We don't support or charge stopped clusters. To get the value of agentless capabilities on a stopped cluster, you can rerun the cluster.

What do I do if I have locked resource groups, subscriptions, or clusters?

We suggest that you unlock the locked resource group/subscription/cluster, make the relevant requests manually, and then relock the resource group/subscription/cluster by doing the following:

  1. Enable the feature flag manually via CLI by using Trusted Access.
    “az feature register --namespace "Microsoft.ContainerService" --name "TrustedAccessPreview” 
    
  2. Perform the bind operation in the CLI:
    az account set -s <SubscriptionId> 
    az extension add --name aks-preview 
    az aks trustedaccess rolebinding create --resource-group <cluster resource group> --cluster-name <cluster name> --name defender-cloudposture --source-resource-id /subscriptions/<SubscriptionId>/providers/Microsoft.Security/pricings/CloudPosture/securityOperators/DefenderCSPMSecurityOperator --roles  "Microsoft.Security/pricings/microsoft-defender-operator" 
    

For locked clusters, you can also do one of the following steps:

  • Remove the lock.
  • Perform the bind operation manually by making an API request. Learn more about locked resources.

Are you using an updated version of AKS?

What's the refresh interval for Agentless discovery of Kubernetes?

It can take up to 24 hours for changes to reflect in the security graph, attack paths, and the security explorer.

How do I upgrade from the retired Trivy vulnerability assessment to the AWS vulnerability assessment powered by Microsoft Defender Vulnerability Management?

The following steps will remove the single registry recommendation powered by Trivy and add the new registry and runtime recommendations that are powered by MDVM.

  1. Open the relevant AWS connector.
  2. Open the Settings page for Defender for Containers.
  3. Enable Agentless Container Vulnerability Assessment.
  4. Complete the steps of the connector wizard, including deployment of the new onboarding script in AWS.
  5. Manually delete the resources created during onboarding:
    • S3 bucket with the prefix defender-for-containers-va
    • ECS cluster with the name defender-for-containers-va
    • VPC:
      • Tag name with the value defender-for-containers-va
      • IP subnet CIDR 10.0.0.0/16
      • Associated with default security group with the tag name and the value defender-for-containers-va that has one rule of all incoming traffic.
      • Subnet with the tag name and the value defender-for-containers-va in the defender-for-containers-va VPC with the CIDR 10.0.1.0/24 IP subnet used by the ECS cluster defender-for-containers-va
      • Internet Gateway with the tag name and the value defender-for-containers-va
      • Route table - Route table with the tag name and value defender-for-containers-va, and with these routes:
        • Destination: 0.0.0.0/0; Target: Internet Gateway with the tag name and the value defender-for-containers-va
        • Destination: 10.0.0.0/16; Target: local

To get vulnerability assessments for running images, either enable Agentless discovery for Kubernetes or deploy the Defender sensor on your Kubernetes clusters.