last sync: 2024-Jun-24 18:15:26 UTC

[Deprecated]: Azure Defender for Kubernetes should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Deprecated]: Azure Defender for Kubernetes should be enabled
Id 523b5cd1-3e23-492f-a539-13118b6d1e3a
Version 1.0.3-deprecated
Details on versioning
Category Security Center
Microsoft Learn
Description Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.
Mode All
Type BuiltIn
Preview False
Deprecated True
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Security/pricings/pricingTier Microsoft.Security pricings properties.pricingTier True False
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 4 compliance controls are associated with this Policy definition '[Deprecated]: Azure Defender for Kubernetes should be enabled' (523b5cd1-3e23-492f-a539-13118b6d1e3a)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v2.0 IR-3 Azure_Security_Benchmark_v2.0_IR-3 Azure Security Benchmark IR-3 Incident Response Detection and analysis - create incidents based on high quality alerts Customer Ensure you have a process to create high quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don’t waste time on false positives. High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. Azure Security Center provides high quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. How to configure export: https://docs.microsoft.com/azure/security-center/continuous-export How to stream alerts into Azure Sentinel: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center n/a link 8
Azure_Security_Benchmark_v2.0 IR-5 Azure_Security_Benchmark_v2.0_IR-5 Azure Security Benchmark IR-5 Incident Response Detection and analysis - prioritize incidents Customer Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity. Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred. Security alerts in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-alerts-overview Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags n/a link 8
Azure_Security_Benchmark_v2.0 LT-1 Azure_Security_Benchmark_v2.0_LT-1 Azure Security Benchmark LT-1 Logging and Threat Detection Enable threat detection for Azure resources Customer Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data. Use the Azure Security Center built-in threat detection capability, which is based on monitoring Azure service telemetry and analyzing service logs. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the system and copies the data to your workspace for analysis. In addition, use Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. The rules generate incidents when the criteria are matched, so that you can investigate each incident. Azure Sentinel can also import third party threat intelligence to enhance its threat detection capability. Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection Azure Security Center security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence n/a link 8
Azure_Security_Benchmark_v2.0 LT-2 Azure_Security_Benchmark_v2.0_LT-2 Azure Security Benchmark LT-2 Logging and Threat Detection Enable threat detection for Azure identity and access management Customer Microsoft Entra ID provides the following user logs that can be viewed in Microsoft Entra ID reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: - Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities. - Audit logs - Provides traceability through logs for all changes done by various features within Microsoft Entra ID. Examples of audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles and policies. - Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. - Users flagged for risk - A risky user is an indicator for a user account that might have been compromised. Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Azure Security Center’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. Audit activity reports in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs Enable Azure Identity Protection: https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection n/a link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-12-06 22:17:57 change Version remains equal, new suffix: deprecated (1.0.3 > 1.0.3-deprecated)
2020-07-14 15:28:17 change Previous DisplayName: Advanced threat protection should be enabled on Azure Kubernetes Service
2020-06-23 16:03:25 add 523b5cd1-3e23-492f-a539-13118b6d1e3a
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC