Alerts for Kubernetes Clusters

Defender for Containers provides enhanced alert capabilities for threats to the Kubernetes (K8s) control plane and workload runtime. Microsoft Defender Threat Intelligence also detect threats relevant to K8s containers, and combined with the Defender sensor, give enriched context for comprehensive and actionable alerts to safeguard your K8s environment.

Control plane detection

In Kubernetes, the control plane manages and orchestrates all the resources within the cluster. Defender for Containers identifies potential threats in the control plane that can compromise the security and integrity of the entire cluster by monitoring the activities of the K8s API server. Critical events are captured that indicate potential security threats, such as suspicious operations by service accounts or exposure of services.

Examples of suspicious operations captured by Defender for Containers include:

  • Privileged container deployments can be a security risk as they grant containers elevated privileges within the host system. Privileged containers are monitored for unauthorized deployments, excessive use of privileges, and potential misconfigurations that could lead to security breaches.
  • Risky service exposures to the public Internet can expose the Kubernetes cluster to potential attacks. The cluster is monitored for services that are unintentionally exposed, misconfigured with overly permissive access controls, or lacking proper security measures.
  • Suspicious service account activities can indicate unauthorized access or malicious behavior within the cluster. The cluster is monitored for unusual patterns such as excessive resource requests, unauthorized API calls, or access to sensitive data.

Workload runtime detection

Defender for Containers uses the Defender sensor to monitor the K8s workload runtime activity to detect suspicious operations, including workload process creation events.

Examples of suspicious workload runtime activity include:

  • Web shell activity - Defender for Containers monitors the activity on the running containers to identify behaviors that resemble web shell invocations.
  • Crypto mining activity - Defender for Containers uses several heuristics to identify crypto mining activity on the running containers, including suspicious download activity, CPU optimization, suspicious process execution, and more.
  • Network scanning tools - Defender for Containers identifies usage of scanning tools that have been used for malicious activities.

K8s alerts simulation tool

Defender for Containers provides a tool to simulate various attack scenarios within your K8s environment, causing alerts to be generated. The simulation tool deploys two pods in a target cluster: attacker and victim. During the simulation, the attacker "attacks" the victim using real-world techniques.

Note

Although the simulation tool doesn't run any malicious components, it's recommended to run it on a dedicated cluster without production workloads.

The simulation tool runs using a Python-based CLI that deploys Helm charts in the target cluster.

Install the simulation tool

  1. Prerequisites:

    • A user with admin permissions over the target cluster.

    • Defender for Containers is enabled and the Defender sensor is also installed. You can check that the Defender sensor is installed by running:

      kubectl get ds microsoft-defender-collector-ds -n kube-system

    • A Helm client is installed on your local machine.

    • Python version 3.7 or above is installed on your local machine.

  2. Point kubeconfig to the target cluster. For Azure Kubernetes Service, you can run:

    az aks get-credentials --name [cluster-name] --resource-group [resource-group]

  3. Download the simulation tool with the following command:

    curl -O https://raw.githubusercontent.com/microsoft/Defender-for-Cloud-Attack-Simulation/refs/heads/main/simulation.py

Run the simulation tool

  1. Run the simulation script with the following command: python simulation.py

  2. Choose a simulated attack scenario or choose to simulate all of the attack scenarios at once. The available simulated attack scenarios are:

Scenario Expected alerts
Reconnaissance Possible Web Shell activity detected
Suspicious Kubernetes service account operation detected
Network scanning tool detected
Lateral Movement Possible Web Shell activity detected
Access to cloud metadata service detected
Secrets Gathering Possible Web Shell activity detected
Sensitive files access detected
Possible secret reconnaissance detected
Crypto mining Possible Web Shell activity detected
Kubernetes CPU optimization detected
Command within a container accessed ld.so.preload
Possible Crypto miners download detected
A drift binary detected executing in the container
Web shell Possible Web Shell activity detected

Note

While some alerts are triggered in near real-time, others may take up to an hour.

Next steps