Control: 8.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On'
Description
Microsoft Defender for Containers helps improve, monitor, and maintain the security of containerized assets—including Kubernetes clusters, nodes, workloads, container registries, and images—across multi-cloud and on-premises environments.
By default, when enabling the plan through the Azure Portal, Microsoft Defender for Containers automatically configures the following components:
- Agentless scanning for machines
- Defender sensor for runtime protection
- Azure Policy for enforcing security best practices
- K8S API access for monitoring and threat detection
- Registry access for vulnerability assessment
Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').
Remediation
Remediate from Azure Portal
- Go to
Microsoft Defender for Cloud. - Under
Management, clickEnvironment settings. - Click the name of a subscription.
- Under
Settings, clickDefender plans. - Under
Cloud Workload Protection (CWP),in the row forContainers, clickOnin theStatuscolumn. - If
Monitoring coveragedisplaysPartial, clickSettingsunderPartial. - Set the status of each of the components to
On. - Click
Continue. - Click
Save. - Repeat steps 1-9 for each subscription.
Remediate from Azure CLI
Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').
Run the below command to enable the Microsoft Defender for Containers plan and its components:
az security pricing create -n 'Containers' --tier 'standard' --extensionsname=ContainerRegistriesVulnerabilityAssessments isEnabled=True --extensionsname=AgentlessDiscoveryForKubernetes isEnabled=True --extensionsname=AgentlessVmScanning isEnabled=True --extensions name=ContainerSensorisEnabled=True
Remediate from PowerShell
Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').
Run the below command to enable the Microsoft Defender for Containers plan and its components:
Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard' -Extension'[{"name":"ContainerRegistriesVulnerabilityAssessments","isEnabled":"True"},{"name":"AgentlessDiscoveryForKubernetes","isEnabled":"True"},{"name":"AgentlessVmScanning","isEnabled":"True"},{"name":"ContainerSensor","isEnabled":"True"}]'
Default Value
The Microsoft Defender for Containers plan is disabled by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_8_1_4_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_8_1_4_1 --shareSQL
This control uses a named query:
select sub_pricing.id as resource, case when pricing_tier = 'Standard' then 'ok' else 'alarm' end as status, case when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.' else 'Azure Defender off for Container Registry.' end as reason , sub.display_name as subscriptionfrom azure_security_center_subscription_pricing sub_pricing right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_idwhere name = 'ContainerRegistry';