Tuesday, April 12, 2022

How to demonstrate the new containers features in Microsoft Defender for Cloud

How to demonstrate the new containers features in Microsoft Defender for Cloud

To address the evolving security challenges surrounding container solutions our team recently announced Microsoft Defender for Containers – a new cloud workload protection plan designed around the unique needs of container-based solutions including Azure Kubernetes Service, Amazon EKS, Google GKE and on-prem environments. It is part of Microsoft Defender for Cloud.
It merges two previous legacy plans which we had, namely Microsoft Defender for Kubernetes and Microsoft Defender for Container registries. It doesn’t remove any functionalities which were present in these legacy plans, it does however add new set of critical features on top of it, like threat protection on the Worker Node level for VMSS nodes.
Other critical capabilities include Advanced Threat Protection, VA, Hardening Controls, Multi-Cloud Support and Kubernetes-Native Deployment.




You can learn more about these capabilities reading the following articles: 

Microsoft launches dedicated Container protection plan

On this blog post we will focus on how to simulate alerts that are part of the AKS advanced threat Detection. 


Simulate AKS alert on Microsoft Defender for Cloud 

To simulate AKS alert on a cluster that is protected under Microsoft Defender for Cloud follow the following steps: 

  1. Validate that your Microsoft Defender for Containers plan pricing tier is enabled. If it is not, make sure to enabled it. 


2. From Azure CLI login to the AKS subscription by running the above commands: 




az login 
az account set --subscription "MyAzureSubName"  




      3. Download AKS tools for Azure CLI and add a local path: 




az aks install-cli
$env:path += 'C:\Users\User\.azure-kubectl' 




4. Run the alert simulation command below: 




kubectl get pods --namespace=asc-alerttest-662jfi039n




You may see an output like the one below:


Wait approximately 30 minutes and open Microsoft Defender for Cloud alert blade: 

In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:



Once you see it, click on it until you see the full details, as shown below: 


The full list of available threat detection alerts can be found here.


Simulate scanning for a vulnerable container image to an Azure Container Registry (ACR) and present its recommendation in Microsoft Defender for Cloud.


When Defender for Containers is enabled, any image you push to your registry will be scanned immediately. In addition, any image pulled within the last 30 days is also scanned.


Key notes about this feature are: 

When the scanner reports vulnerabilities to Defender for Cloud, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more.


You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.

To simulate this, the first step is to install Docker desktop.

Follow the steps below to do that: 

  1. Navigate to https://www.docker.com/products/docker-desktop 
  2. Download and install Docker, Check the system requirements, Get Docker | Docker Documentation
  3. After the installation, open PowerShell 
  4. Verify your docker version by executing in PowerShell:
    docker version​

You may see an output like the one below:



  1. Create Container registry in Azure portal or via CLI.

      Follow the steps below to do that and continue the validation:

Create an Azure container registry using the Azure portal

  1. Sign in to Azure
  2. Sign in to the Azure portal at https://portal.azure.com.
  3. Create a container registry

Select Create a resource > Containers > Container Registry.


In the Basics tab, enter values for Resource group and Registry name. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. For this quickstart create a new resource group in the West US location named myResourceGroup, and for SKU, select 'Basic'.


  1. Accept default values for the remaining settings. Then select Review + create. After reviewing the settings, select Create.
  2. When the Deployment succeeded message appears, select the container registry in the portal.
  3. copy the Login server URL


4. Open PowerShell and run (where the name is the ACR name that you created) the command below:




az acr login --name secteach365




You may see an output like the one below:


5. Download vulnerable image from docker hub https://hub.docker.com/r/vulnerables/web-dvwa/,

by running the command below:




docker pull vulnerables/web-dvwa




A sample of the output is shown below: 


6. Check the image on your local repository by running the command below:




Docker images vulnerables/web-dvwa




A sample of the output is shown below: 


7. In this step we need to tag our image with the ACR Login URL that we copied in steps Execute the following command: 




Docker tag  vulnerables/web-dvwa:latest  secteach365.azurecr.io/vulnerables/web-dvwa:v1




8. Check again the image on your local repository by running the command below: 




Docker images secteach365.azurecr.io/vulnerables/web-dvwa





9. Run docker push to upload the new image to the azure repository and generate image scan (it can take some time), using the command below: 




docker push secteach365.azurecr.io/vulnerables/web-dvwa:v1





Once done check on your ACR repository and validate that you have a new repository with a new image.


  1. Navigate to Microsoft Defender for Cloud > Recommendations. Select the recommendation "Container registry images should have vulnerability findings resolved" to view the recommendation details page.


Drill down to the recommendation and review image and the set of vulnerabilities that Microsoft Defender for Cloud has discovered. 



In this blogpost, we provided details on the options to simulate alerts that are part of the AKS threat Detection and the image scanning (ACR) recommendation. 

For more information on how Microsoft Defender for Cloud visit our documentation below: Microsoft Defender for Cloud documentation | Microsoft Docs


Special thanks to @Maya_Herskovic, @Yuri Diogenes  for reviewing this article.


This article was originally wrote for Azure Security Center by Yaniv Shasha, you can find the original post here : How to demonstrate the new containers features in Azure Security Center - Microsoft Tech Community


Posted at https://sl.advdat.com/3jy1r8chttps://sl.advdat.com/3jy1r8c