Introduction
In this article, I continue the Azure Defender PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the Azure Defender for Kubernetes plan. For a more holistic approach that involves validating Azure Security Center and Azure Defender, check out How to Effectively Perform an Azure Security Center PoC.
Planning
As part of this PoC, it is important to understand that Azure Defender for Kubernetes provides threat detection and protection at the cluster level through continuously monitoring your cluster’ logs. This will include different security events such as exposed Kubernetes dashboards and the creation of high privileged roles. For AKS clusters, there are no provisioning actions required aside from enabling Azure Defender due to Azure Defender being integrated into AKS through the Azure backbone.
Azure Defender for Kubernetes will also protect your Kubernetes clusters wherever they are running, including on premise or multi-cloud clusters. For multi-cloud and on-premises clusters, you will need to connect your Kubernetes cluster to Azure Arc, then deploy the Azure Defender for Kubernetes extension. For a comprehensive understanding of how to deploy the extension, visit the following resources:
- Overview of Azure Arc enabled Kubernetes - Azure Arc | Microsoft Docs.
- Quickstart: Connect an existing Kubernetes cluster to Azure Arc - Azure Arc | Microsoft Docs
- Protect hybrid and multi-cloud Kubernetes deployments with Azure Defender for Kubernetes | Microsoft Docs
If this is your first-time enabling Azure Defender, try it out for free for 30 days while you execute your PoC. During this time, you can decide if you want to keep this plan and if you choose otherwise, be sure to disable it at the end of the free trial to avoid charges. For more pricing information, please visit: Pricing—Azure Defender | Microsoft Azure.
Preparation
To enable Azure Defender for Kubernetes, you will need to have Security Admin role in the subscription where the plan will be enabled. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below.
Besides enabling, you can also use the Security Admin role to dismiss potential alerts, however if you just need to reviewing findings, you can grant only Security Reader role to the user. When anomalous behavior occurs on your Kubernetes cluster, Azure Defender for Kubernetes will show alerts. To familiarize yourself with the alerts you may receive with this plan, review the Alerts Reference Guide.
To make sure you have a complete understanding of Azure Defender for Kubernetes, make sure to also check out these resources:
- Threat Matrix for Kubernetes | Azure Security Center in the Field #11 - YouTube
- Azure Arc and Azure Defender for Kubernetes | Azure Security Center in the Field #27 - YouTube
Implementation and Validation
Once enabled, you can check to see if Azure Defender is running properly by simulating an alert as instructed by the following resources:
- Alert validation in Azure Security Center | Microsoft Docs
- How to demonstrate the new containers features in Azure Security Center - Microsoft Tech Community
If you find alerts that are not relevant to your environment, you can either manually dismiss them or create suppression rules to automatically dismiss them in the future.
Conclusion
By the end of this PoC, you should be able to determine the value of Azure Defender for Kubernetes and the significance of this level of threat detection on your workloads.
Reviewers
@Yuri Diogenes , Principal Program Manager
@Maya_Herskovic , Senior Program Manager
Posted at https://sl.advdat.com/3jAF3f0