turbot/azure_compliance

Control: 3.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On'

Description

Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud. The following services will be enabled for container instances:

  • Defender agent in Azure
  • Azure Policy for Kubernetes
  • Agentless discovery for Kubernetes
  • Agentless container vulnerability assessment

Enabling Microsoft Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Remediation

From Azure Portal

  1. Go to Microsoft Defender for Cloud.
  2. Under Management, select Environment Settings.
  3. Click on the subscription name.
  4. Select Defender plans.
  5. Set Status to On for Containers.
  6. Click Save.

From Azure CLI

(Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers')

Use the below command to enable Standard pricing tier for Containers.

az security pricing create -n 'Containers' --tier 'standard'

From Powershell

(Note: 'ContainerRegistry' has been deprecated and is replaced by 'Containers')

Use the below command to enable Standard pricing tier for Containers.

Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard'

Default Value

By default, Microsoft Defender for Containers is off.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v300_3_1_4_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v300_3_1_4_1 --share

SQL

This control uses a named query:

securitycenter_azure_defender_on_for_containerregistry

Tags