Control: 2.6 Ensure that Microsoft Defender for Kubernetes is set to 'On'

Description

Enabling Azure Defender threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. It also allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Remediation

From Console

Perform the following action to check Azure Defender is set to On for Kubernetes:

Go to Microsoft Defender for Cloud
Select Environment Settings blade
Click on the subscription name
Select the Defender plans blade
On the line in the table for Storage Select On under Plan
Select Save

From Command Line

Command to enable Azure defender for Kubernetes

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/KubernetesService?api-version=2018-06-01 -d@"input.json"'

Where input.json contains the request body json data as mentioned below

{
  "id":"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/pricings/KubernetesService",
  "name":"KubernetesService",
  "type":"Microsoft.Security/pricings",
  "properties":{
    "pricingTier":"Standard"
  }
}

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v140_2_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v140_2_6 --share

SQL

This control uses a named query:

securitycenter_azure_defender_on_for_k8s