Control: 9.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On'
Description
Microsoft Defender for Containers helps improve, monitor, and maintain the security of containerized assets—including Kubernetes clusters, nodes, workloads, container registries, and images—across multi-cloud and on-premises environments.
By default, when enabling the plan through the Azure Portal, Microsoft Defender for Containers automatically configures the following components:
- Agentless scanning for machines
- Defender sensor for runtime protection
- Azure Policy for enforcing security best practices
- K8S API access for monitoring and threat detection
- Registry access for vulnerability assessment
Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').
Enabling Microsoft Defender for Containers enhances defense-in-depth by providing advanced threat detection, vulnerability assessment, and security monitoring for containerized environments, leveraging insights from the Microsoft Security Response Center (MSRC).
Remediation
From Azure Portal
- Go to
Microsoft Defender for Cloud. - Under
Management, clickEnvironment settings. - Click the name of a subscription.
- Under
Settings, clickDefender plans. - Under
Cloud Workload Protection (CWP), in the row forContainers, clickOnin theStatuscolumn. - If
Monitoring coveragedisplaysPartial, clickSettingsunderPartial. - Set the status of each of the components to
On. - Click
Continue. - Click
Save. - Repeat steps 1-9 for each subscription.
From Azure CLI
Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').
Run the below command to enable the Microsoft Defender for Containers plan and its components:
az security pricing create -n 'Containers' --tier 'standard' --extensions name=ContainerRegistriesVulnerabilityAssessments isEnabled=True --extensions name=AgentlessDiscoveryForKubernetes isEnabled=True --extensions name=AgentlessVmScanning isEnabled=True --extensions name=ContainerSensor isEnabled=TrueFrom PowerShell
Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').
Run the below command to enable the Microsoft Defender for Containers plan and its components:
Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard' -Extension '[{"name":"ContainerRegistriesVulnerabilityAssessments","isEnabled":"True"},{"name":"AgentlessDiscoveryForKubernetes","isEnabled":"True"},{"name":"AgentlessVmScanning","isEnabled":"True"},{"name":"ContainerSensor","isEnabled":"True"}]'Default Value
The Microsoft Defender for Containers plan is disabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v400_9_1_4_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v400_9_1_4_1 --shareSQL
This control uses a named query:
select sub_pricing.id as resource, case when pricing_tier = 'Standard' then 'ok' else 'alarm' end as status, case when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.' else 'Azure Defender off for Container Registry.' end as reason , sub.display_name as subscriptionfrom azure_security_center_subscription_pricing sub_pricing right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_idwhere name = 'ContainerRegistry';