Thursday, September 2, 2021

Azure Defender PoC Series - Azure Defender for Kubernetes


In this article, I continue the Azure Defender PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the Azure Defender for Kubernetes plan. For a more holistic approach that involves validating Azure Security Center and Azure Defender, check out How to Effectively Perform an Azure Security Center PoC 



As part of this PoC, it is important to understand that Azure Defender for Kubernetes provides threat detection and protection at the cluster level through continuously monitoring your cluster’ logs. This will include different security events such as exposed Kubernetes dashboards and the creation of high privileged roles. For AKS clusters, there are no provisioning actions required aside from enabling Azure Defender due to Azure Defender being integrated into AKS through the Azure backbone.  


Azure Defender for Kubernetes will also protect your Kubernetes clusters wherever they are running, including on premise or multi-cloud clusters. For multi-cloud and on-premises clusters, you will need to connect your Kubernetes cluster to Azure Arc, then deploy the Azure Defender for Kubernetes extension. For a comprehensive understanding of how to deploy the extension, visit the following resources: 


If this is your first-time enabling Azure Defender, try it out for free for 30 days while you execute your PoC. During this time, you can decide if you want to keep this plan and if you choose otherwise, be sure to disable it at the end of the free trial to avoid charges. For more pricing information, please visit: Pricing—Azure Defender | Microsoft Azure. 



To enable Azure Defender for Kubernetes, you will need to have Security Admin role in the subscription where the plan will be enabled. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below. 

Figure 1: Enable Azure Defender for KubernetesFigure 1: Enable Azure Defender for Kubernetes


Besides enabling, you can also use the Security Admin role to dismiss potential alerts, however if you just need to reviewing findings, you can grant only Security Reader role to the user. When anomalous behavior occurs on your Kubernetes cluster, Azure Defender for Kubernetes will show alerts. To familiarize yourself with the alerts you may receive with this plan, review the Alerts Reference Guide 


To make sure you have a complete understanding of Azure Defender for Kubernetes, make sure to also check out these resources: 


Implementation and Validation 

Once enabled, you can check to see if Azure Defender is running properly by simulating an alert as instructed by the following resources: 


If you find alerts that are not relevant to your environment, you can either manually dismiss them or create suppression rules to automatically dismiss them in the future.  



By the end of this PoC, you should be able to determine the value of Azure Defender for Kubernetes and the significance of this level of threat detection on your workloads.  



@Yuri Diogenes , Principal Program Manager

@Maya_Herskovic , Senior Program Manager

Posted at