Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Containers generates security alerts for Kubernetes clusters and workloads by monitoring both the control plane and the runtime environment. To validate alert generation, you can use the Kubernetes alerts simulation tool to trigger representative alerts.
The alerts available in an environment depend on the Kubernetes distribution (AKS, EKS, GKE, or Arc-enabled), the installed components, and the specific activities being monitored.
Control plane detection
The Kubernetes control plane manages and orchestrates all resources within the cluster. Defender for Containers monitors Kubernetes API server activity to identify suspicious operations that might affect cluster security.
Examples of suspicious control plane operations include:
- Privileged container deployments: Monitoring for unauthorized deployments or excessive use of privileges that could lead to host-system breaches.
- Risky service exposures: Identifying services unintentionally exposed to the public Internet or lacking proper access controls.
- Suspicious service account activities: Detecting unusual patterns such as excessive resource requests or unauthorized API calls.
Workload runtime detection
Defender for Containers uses the Defender sensor to monitor workload runtime activity and detect suspicious process creation or network behavior.
Key detection categories include:
- Web shell activity: Detects behaviors that resemble web shell invocations on running containers.
- Crypto mining activity: Detects behavior associated with crypto mining, such as CPU optimization patterns, suspicious download activity, and known mining processes.
- Network scanning tools: Detects tools commonly used for malicious reconnaissance.
- Binary drift detection: Detects workload binaries that have drifted from the original container image. To learn more, see Binary drift detection.
Kubernetes alerts simulation tool
Defender for Containers provides an open-source, Python-based CLI tool that simulates Kubernetes attack scenarios and helps you verify that Kubernetes security alerts are generated.
The simulation tool is maintained in the Defender for Cloud Attack Simulation GitHub repository. To review the latest prerequisites, installation steps, available scenarios, and expected alerts, see the repository README.
Note
The simulation tool doesn't contain malicious code. Run it on a dedicated test cluster instead of a production cluster.
After you run the simulation, some alerts are generated in near real time. Others can take up to an hour to appear.
To review generated alerts:
Sign in to the Azure portal.
Go to Microsoft Defender for Cloud > Security alerts.
Review alerts related to the simulated cluster and scenario.
Note
The simulation tool deploys test resources to the cluster. After you finish testing, remove those resources according to your organization's test environment procedures.