Configure Microsoft Defender for Containers components

Article
07/31/2024

Microsoft Defender for Containers is the cloud-native solution for securing your containers.

Defender for Containers protects your clusters whether they're running in:

Azure Kubernetes Service (AKS) - Microsoft's managed service for developing, deploying, and managing containerized applications.

Other Kubernetes distributions (using Azure Arc-enabled Kubernetes) - Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters hosted on-premises or on IaaS.

Learn about this plan in Overview of Microsoft Defender for Containers.

You can first learn how to connect and protect your containers in these articles:

Note

Defender for Containers' support for Arc-enabled Kubernetes clusters is a preview feature. The preview feature is available on a self-service, opt-in basis.

Previews are provided "as is" and "as available" and are excluded from the service level agreements and limited warranty.

Network requirements

Validate the following endpoints are configured for outbound access so that the Defender sensor can connect to Microsoft Defender for Cloud to send security data and events:

See the required FQDN/application rules for Microsoft Defender for Containers.

By default, AKS clusters have unrestricted outbound (egress) internet access.

Defender sensor must connect to the configured Azure Monitor Log Analytics workspace. In the event egress from the cluster requires the use of Azure Monitor Private Link Scope (AMPLS), you must:

Define the cluster with Container Insights and a Log Analytics workspace
Configure the AMPLS with Query access mode and Ingestion access mode set to "Open"
Define the cluster Log Analytics workspace as a resource in the AMPLS
Create in the AMPLS a virtual network private endpoint between the virtual network (VNet) of the cluster and the Log Analytics resource. The virtual network private endpoint integrates with a private DNS zone.

Refer to Create an Azure Monitor Private Link for instructions.

Enable the plan

To enable the plan:

From Defender for Cloud's menu, open the Settings page and select the relevant subscription.
In the Defender plans page, select Defender for Containers and select Settings.

Tip

If the subscription already has Defender for Kubernetes and/or Defender for container registries enabled, an update notice is shown. Otherwise, the only option will be Defender for Containers.
Turn the relevant component on to enable it.
Note
- Defenders for Containers customers who joined before August 2023 and don't have Agentless discovery for Kubernetes enabled as part of Defender CSPM when they enabled the plan, must manually enable the Agentless discovery for Kubernetes extension within the Defender for Containers plan.
- When you turn off Defender for Containers, the components are set to off and are not deployed to any more containers but they are not removed from containers that they are already installed on.

Enablement method per capability

By default, when enabling the plan through the Azure portal, Microsoft Defender for Containers is configured to automatically enable all capabilities and install all required components to provide the protections offered by the plan, including the assignment of a default workspace.

If you don't want to enable all capabilities of the plans, you can manually select which specific capabilities to enable by selecting Edit configuration for the Containers plan. Then, in the Settings & monitoring page, select the capabilities you want to enable. In addition, you can modify this configuration from the Defender plans page after initial configuration of the plan.

For detailed information on the enablement method for each one the capabilities, see the support matrix.

Roles and permissions

Learn more about the roles used to provision Defender for Containers extensions.

Assigning custom workspace for Defender sensor

You can assign a custom workspace through Azure Policy.

Manual deployment of Defender sensor or Azure policy agent without auto-provisioning using recommendations

Capabilities that require sensor installation can also be deployed on one or more Kubernetes clusters, using the appropriate recommendation:

Sensor	Recommendation
Defender Sensor for Kubernetes	Azure Kubernetes Service clusters should have Defender profile enabled
Defender Sensor for Arc-enabled Kubernetes	Azure Arc-enabled Kubernetes clusters should have the Defender extension installed
Azure policy agent for Kubernetes	Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
Azure policy agent for Arc-enabled Kubernetes	Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed

Perform the following steps to perform deployment of the Defender sensor on specific clusters:

From Microsoft Defender for Cloud's recommendations page, open the Enable enhanced security security control or search directly for one of the above recommendations (or use the above links to open the recommendation directly)
View all clusters without a sensor via the unhealthy tab.
Select the clusters to deploy the desired sensor on and select Fix.
Select Fix X resources.

Deploying Defender sensor - all options

You can enable the Defender for Containers plan and deploy all of the relevant components from the Azure portal, the REST API, or with a Resource Manager template. For detailed steps, select the relevant tab.

Once the Defender sensor has been deployed, a default workspace is automatically assigned. You can assign a custom workspace in place of the default workspace through Azure Policy.

Note

The Defender sensor is deployed to each node to provide the runtime protections and collect signals from those nodes using eBPF technology.

Use the fix button from the Defender for Cloud recommendation

A streamlined, frictionless, process lets you use the Azure portal pages to enable the Defender for Cloud plan and setup auto provisioning of all the necessary components for defending your Kubernetes clusters at scale.

A dedicated Defender for Cloud recommendation provides:

Visibility about which of your clusters has the Defender sensor deployed
Fix button to deploy it to those clusters without the sensor

From Microsoft Defender for Cloud's recommendations page, open the Enable enhanced security security control.
Use the filter to find the recommendation named Azure Kubernetes Service clusters should have Defender profile enabled.

Tip

Notice the Fix icon in the actions column
Select the clusters to see the details of the healthy and unhealthy resources - clusters with and without the sensor.
From the unhealthy resources list, select a cluster and select Remediate to open the pane with the remediation confirmation.
Select Fix X resources.

Use the REST API to deploy the Defender sensor

To install the 'SecurityProfile' on an existing cluster with the REST API, run the following PUT command:

PUT https://management.chinacloudapi.cn/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

Request URI: https://management.chinacloudapi.cn/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}

Request query parameters:

Name	Description	Mandatory
SubscriptionId	Cluster's subscription ID	Yes
ResourceGroup	Cluster's resource group	Yes
ClusterName	Cluster's name	Yes
ApiVersion	API version, must be >= 2022-06-01	Yes

Request Body:

{
  "location": "{{Location}}",
  "properties": {
    "securityProfile": {
            "defender": {
                "logAnalyticsWorkspaceResourceId": "{{LAWorkspaceResourceId}}",
                "securityMonitoring": {
                    "enabled": true,
                }
            }
        }
    }
}

Request body parameters:

Name	Description	Mandatory
location	Cluster's location	Yes
properties.securityProfile.defender.securityMonitoring.enabled	Determines whether to enable or disable Microsoft Defender for Containers on the cluster	Yes
properties.securityProfile.defender.logAnalyticsWorkspaceResourceId	Log Analytics workspace Azure resource ID	Yes

Use Azure CLI to deploy the Defender sensor

Sign in to Azure:
```
az cloud set -n AzureChinaCloud
az login
az account set --subscription <your-subscription-id>
```
Important

Ensure that you use the same subscription ID for <your-subscription-id> as the one associated with your AKS cluster.

Enable the Defender sensor on your containers:

Run the following command to create a new cluster with the Defender sensor enabled:

az aks create --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>

Run the following command to enable the Defender sensor on an existing cluster:

az aks update --enable-defender --resource-group <your-resource-group> --name <your-cluster-name>

A description of all the supported configuration settings on the Defender sensor type is given below:

Property Description

logAnalyticsWorkspaceResourceId Optional. Full resource ID of your own Log Analytics workspace.
When not provided, the default workspace of the region will be used.

To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format:
az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json

The Log Analytics workspace resource ID has the following syntax:
/subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name}.
Learn more in Log Analytics workspaces

Property	Description
logAnalyticsWorkspaceResourceId	Optional. Full resource ID of your own Log Analytics workspace. When not provided, the default workspace of the region will be used. To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format: `az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json` The Log Analytics workspace resource ID has the following syntax: /subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name}. Learn more in Log Analytics workspaces

You can include these settings in a JSON file and specify the JSON file in the az aks create and az aks update commands with this parameter: --defender-config <path-to-JSON-file>. The format of the JSON file must be:

{"logAnalyticsWorkspaceResourceId": "<workspace-id>"}

Learn more about AKS CLI commands in az aks.

To verify that the sensor was successfully added, run the following command on your machine with the kubeconfig file pointed to your cluster:
```
kubectl get pods -n kube-system
```
When the sensor is added, you should see a pod called microsoft-defender-XXXXX in Running state. It might take a few minutes for pods to be added.

Use Azure Resource Manager to deploy the Defender sensor

To use Azure Resource Manager to deploy the Defender sensor, you'll need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?

To install the 'SecurityProfile' on an existing cluster with Resource Manager:

{ 
    "type": "Microsoft.ContainerService/managedClusters", 
    "apiVersion": "2022-06-01", 
    "name": "string", 
    "location": "string",
    "properties": {
        …
        "securityProfile": { 
            "defender": { 
                "logAnalyticsWorkspaceResourceId": “logAnalyticsWorkspaceResourceId",
                "securityMonitoring": {
                    "enabled": true
                }
            }
        }
    }
}

Enable the plan

To enable the plan:

From Defender for Cloud's menu, open the Settings page and select the relevant subscription.
In the Defender plans page, select Defender for Containers and select Settings.

Tip

If the subscription already has Defender for Kubernetes or Defender for container registries enabled, an update notice is shown. Otherwise, the only option will be Defender for Containers.
Turn the relevant component on to enable it.

Note

When you turn off Defender for Containers, the components are set to off and are not deployed to any more containers but they are not removed from containers that they are already installed on.

By default, when enabling the plan through the Azure portal, Microsoft Defender for Containers is configured to automatically install required components to provide the protections offered by plan, including the assignment of a default workspace.

If you want to disable automatic installation of components during the onboarding process, select Edit configuration for the Containers plan. The Advanced options will appear, and you can disable automatic installation for each component.

In addition, you can modify this configuration from the Defender plans page.

Note

If you choose to disable the plan at any time after enabling it through the portal as shown above, you'll need to manually remove Defender for Containers components deployed on your clusters.

You can assign a custom workspace through Azure Policy.

If you disable the automatic installation of any component, you can easily deploy the component to one or more clusters using the appropriate recommendation:

Policy Add-on for Kubernetes - Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
Azure Kubernetes Service profile - Azure Kubernetes Service clusters should have Defender profile enabled
Azure Arc-enabled Kubernetes extension - Azure Arc-enabled Kubernetes clusters should have the Defender extension installed
Azure Arc-enabled Kubernetes Policy extension - Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed

Learn more about the roles used to provision Defender for Containers extensions.

Prerequisites

Before deploying the sensor, ensure you:

Deploy the Defender sensor

You can deploy the Defender sensor using a range of methods. For detailed steps, select the relevant tab.

Use the fix button from the Defender for Cloud recommendation

A dedicated Defender for Cloud recommendation provides:

Visibility about which of your clusters has the Defender sensor deployed
Fix button to deploy it to those clusters without the sensor

From Microsoft Defender for Cloud's recommendations page, open the Enable enhanced security security control.
Use the filter to find the recommendation named Azure Arc-enabled Kubernetes clusters should have Defender for Cloud's extension installed.

Tip

Notice the Fix icon in the actions column
Select the sensor to see the details of the healthy and unhealthy resources - clusters with and without the sensor.
From the unhealthy resources list, select a cluster and select Remediate to open the pane with the remediation options.
Select the relevant Log Analytics workspace and select Remediate x resource.

Use Azure CLI to deploy the Defender sensor

Sign in to Azure:
```
az cloud set -n AzureChinaCloud
az login
az account set --subscription <your-subscription-id>
```
Important

Ensure that you use the same subscription ID for <your-subscription-id> as the one that was used when connecting your cluster to Azure Arc.

Run the following command to deploy the sensor on top of your Azure Arc-enabled Kubernetes cluster:

az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name <cluster-name> --resource-group <resource-group> --extension-type microsoft.azuredefender.kubernetes

A description of all the supported configuration settings on the Defender sensor type is given below:

Property Description

logAnalyticsWorkspaceResourceID Optional. Full resource ID of your own Log Analytics workspace.
When not provided, the default workspace of the region will be used.

To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format:
az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json

The Log Analytics workspace resource ID has the following syntax:
/subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name}.
Learn more in Log Analytics workspaces

auditLogPath Optional. The full path to the audit log files.
When not provided, the default path /var/log/kube-apiserver/audit.log will be used.
For AKS Engine, the standard path is /var/log/kubeaudit/audit.log

Property	Description
logAnalyticsWorkspaceResourceID	Optional. Full resource ID of your own Log Analytics workspace. When not provided, the default workspace of the region will be used. To get the full resource ID, run the following command to display the list of workspaces in your subscriptions in the default JSON format: `az resource list --resource-type Microsoft.OperationalInsights/workspaces -o json` The Log Analytics workspace resource ID has the following syntax: /subscriptions/{your-subscription-id}/resourceGroups/{your-resource-group}/providers/Microsoft.OperationalInsights/workspaces/{your-workspace-name}. Learn more in Log Analytics workspaces
auditLogPath	Optional. The full path to the audit log files. When not provided, the default path `/var/log/kube-apiserver/audit.log` will be used. For AKS Engine, the standard path is `/var/log/kubeaudit/audit.log`

The below command shows an example usage of all optional fields:

az k8s-extension create --name microsoft.azuredefender.kubernetes --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --extension-type microsoft.azuredefender.kubernetes --configuration-settings logAnalyticsWorkspaceResourceID=<log-analytics-workspace-resource-id> auditLogPath=<your-auditlog-path>

Use REST API to deploy the Defender sensor

To use the REST API to deploy the Defender sensor, you'll need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

To manually deploy the sensor with the REST API, run the following PUT command:

PUT https://management.chinacloudapi.cn/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

Where:

Name	In	Required	Type	Description
Subscription ID	Path	True	String	Your Azure Arc-enabled Kubernetes resource's subscription ID
Resource Group	Path	True	String	Name of the resource group containing your Azure Arc-enabled Kubernetes resource
Cluster Name	Path	True	String	Name of your Azure Arc-enabled Kubernetes resource

For Authentication, your header must have a Bearer token (as with other Azure APIs). To get a bearer token, run the following command:

az account get-access-token --subscription <your-subscription-id> Use the following structure for the body of your message:

{ 
"properties": { 
    "extensionType": "microsoft.azuredefender.kubernetes",
"con    figurationSettings": { 
        "logAnalytics.workspaceId":"YOUR-WORKSPACE-ID"
    // ,    "auditLogPath":"PATH/TO/AUDITLOG"
    },
    "configurationProtectedSettings": {
        "logAnalytics.key":"YOUR-WORKSPACE-KEY"
    }
    }
}

Description of the properties is given below:

Property	Description
logAnalytics.workspaceId	Workspace ID of the Log Analytics resource
logAnalytics.key	Key of the Log Analytics resource
auditLogPath	Optional. The full path to the audit log files. The default value is `/var/log/kube-apiserver/audit.log`

Verify the deployment

To verify that your cluster has the Defender sensor installed on it, follow the steps in one of the tabs below:

Use Defender for Cloud recommendation to verify the status of your sensor

From Microsoft Defender for Cloud's recommendations page, open the Enable Microsoft Defender for Cloud security control.
Select the recommendation named Azure Arc-enabled Kubernetes clusters should have Microsoft Defender for Cloud's extension installed.
Check that the cluster on which you deployed the sensor is listed as Healthy.

Use Azure CLI to verify that the sensor is deployed

Run the following command on Azure CLI:

az k8s-extension show --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes

In the response, look for "extensionType": "microsoft.azuredefender.kubernetes" and "installState": "Installed".

Note

It might show "installState": "Pending" for the first few minutes.
If the state shows Installed, run the following command on your machine with the kubeconfig file pointed to your cluster to check that all pods under the mdc namespace are in the 'Running' state:
```
kubectl get pods -n mdc
```

Use the REST API to verify that the sensor is deployed

To confirm a successful deployment, or to validate the status of your sensor at any time:

Run the following GET command:

GET https://management.chinacloudapi.cn/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

In the response, look in "extensionType": "microsoft.azuredefender.kubernetes" for "installState": "Installed".

Tip

It might show "installState": "Pending" for the first few minutes.
If the state shows Installed, run the following command on your machine with the kubeconfig file pointed to your cluster to check that all pods under the mdc namespace are in 'Running' state:
```
kubectl get pods -n mdc
```

Simulate security alerts from Microsoft Defender for Containers

A full list of supported alerts is available in the reference table of all Defender for Cloud security alerts.

To simulate a security alert, run the following command from the cluster:
```
kubectl get pods --namespace=asc-alerttest-662jfi039n
```
The expected response is No resource found.

Within 30 minutes, Defender for Cloud detects this activity and trigger a security alert.

Note

To simulate agentless alerts for Defender for Containers, Azure Arc isn't a prerequisite.
In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:

Remove the Defender sensor

To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning:

Enabling auto provisioning, potentially impacts existing and future machines.
Disabling auto provisioning for an extension, only affects the future machines - nothing is uninstalled by disabling auto provisioning.

Note

To turn off the Defender for Containers plan entirely, go to Environment settings and disable the Microsoft Defender for Containers plan.

Nevertheless, to ensure the Defender for Containers components aren't automatically provisioned to your resources from now on, disable auto provisioning of the extensions as explained in Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud.

You can remove the extension using Azure portal, Azure CLI, or REST API as explained in the tabs below.

Use Azure portal to remove the extension

From the Azure portal, open Azure Arc.
From the infrastructure list, select Kubernetes clusters and then select the specific cluster.
Open the extensions page. The extensions on the cluster are listed.
Select the cluster and select Uninstall.

Use Azure CLI to remove the Defender sensor

Remove the Microsoft Defender for Kubernetes Arc extension with the following commands:

az cloud set -n AzureChinaCloud
az login
az account set --subscription <subscription-id>
az k8s-extension delete --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes --yes

Removing the extension might take a few minutes. We recommend you wait before you try to verify that it was successful.

To verify that the extension was successfully removed, run the following commands:
```
az k8s-extension show --cluster-type connectedClusters --cluster-name <your-connected-cluster-name> --resource-group <your-rg> --name microsoft.azuredefender.kubernetes
```
After that, validate that there are no pods under the mdc namespace on the cluster by running the following command with the kubeconfig file pointed to your cluster:
```
kubectl get pods -n mdc
```
It might take a few minutes for the pods to be deleted.

Use REST API to remove the Defender sensor

To remove the extension using the REST API, run the following DELETE command:

DELETE https://management.chinacloudapi.cn/subscriptions/{{Subscription Id}}/resourcegroups/{{Resource Group}}/providers/Microsoft.Kubernetes/connectedClusters/{{Cluster Name}}/providers/Microsoft.KubernetesConfiguration/extensions/microsoft.azuredefender.kubernetes?api-version=2020-07-01-preview

Name	In	Required	Type	Description
Subscription ID	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's subscription ID
Resource Group	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's resource group
Cluster Name	Path	True	String	Your Azure Arc-enabled Kubernetes cluster's name

For Authentication, your header must have a Bearer token (as with other Azure APIs). To get a bearer token, run the following command:

az account get-access-token --subscription <your-subscription-id>

The request might take several minutes to complete.

Remove the Defender sensor

To remove this - or any - Defender for Cloud extension, it's not enough to turn off auto provisioning:

Enabling auto provisioning, potentially impacts existing and future machines.
Disabling auto provisioning for an extension, only affects the future machines - nothing is uninstalled by disabling auto provisioning.

Note

To turn off the Defender for Containers plan entirely, go to Environment settings and disable the Microsoft Defender for Containers plan.

You can remove the extension using the REST API or a Resource Manager template as explained in the tabs below.

Use REST API to remove the Defender sensor from AKS

To remove the extension using the REST API, run the following PUT command:

https://management.chinacloudapi.cn/subscriptions/{{SubscriptionId}}/resourcegroups/{{ResourceGroup}}/providers/Microsoft.ContainerService/managedClusters/{{ClusterName}}?api-version={{ApiVersion}}

Name	Description	Mandatory
SubscriptionId	Cluster's subscription ID	Yes
ResourceGroup	Cluster's resource group	Yes
ClusterName	Cluster's name	Yes
ApiVersion	API version, must be >= 2022-06-01	Yes

Request body:

{
  "location": "{{Location}}",
  "properties": {
    "securityProfile": {
            "defender": {
                "securityMonitoring": {
                    "enabled": false
                }
            }
        }
    }
}

Request body parameters:

Name	Description	Mandatory
location	Cluster's location	Yes
properties.securityProfile.defender.securityMonitoring.enabled	Determines whether to enable or disable Microsoft Defender for Containers on the cluster	Yes

Use Azure CLI to remove the Defender sensor

Remove the Microsoft Defender for with the following commands:

az cloud set -n AzureChinaCloud
az login
az account set --subscription <subscription-id>
az aks update --disable-defender --resource-group <your-resource-group> --name <your-cluster-name>

Removing the extension might take a few minutes.

To verify that the extension was successfully removed, run the following command:
```
kubectl get pods -n kube-system | grep microsoft-defender
```
When the extension is removed, you should see that no pods are returned in the get pods command. It might take a few minutes for the pods to be deleted.

Use Azure Resource Manager to remove the Defender sensor from AKS

To use Azure Resource Manager to remove the Defender sensor, you'll need a Log Analytics workspace on your subscription. Learn more in Log Analytics workspaces.

Tip

If you're new to Resource Manager templates, start here: What are Azure Resource Manager templates?

The relevant template and parameters to remove the Defender sensor from AKS are:

{ 
    "type": "Microsoft.ContainerService/managedClusters", 
    "apiVersion": "2022-06-01", 
    "name": "string", 
    "location": "string",
    "properties": {
        …
        "securityProfile": { 
            "defender": { 
                "securityMonitoring": {
                    "enabled": false
                }
            }
        }
    }
}

Next steps

Now that you enabled Defender for Containers, you can:

Check out common questions about Defender for Containers.

Configure Microsoft Defender for Containers components

Network requirements

Enable the plan

Enablement method per capability

Roles and permissions

Assigning custom workspace for Defender sensor

Manual deployment of Defender sensor or Azure policy agent without auto-provisioning using recommendations

Deploying Defender sensor - all options

Use the fix button from the Defender for Cloud recommendation

Use the REST API to deploy the Defender sensor

Use Azure CLI to deploy the Defender sensor

Use Azure Resource Manager to deploy the Defender sensor

Enable the plan

Prerequisites

Deploy the Defender sensor

Use the fix button from the Defender for Cloud recommendation

Use Azure CLI to deploy the Defender sensor

Use Azure Resource Manager to deploy the Defender sensor

Use REST API to deploy the Defender sensor

Verify the deployment

Use Defender for Cloud recommendation to verify the status of your sensor

Use the Azure Arc pages to verify the status of your sensor

Use Azure CLI to verify that the sensor is deployed

Use the REST API to verify that the sensor is deployed

Simulate security alerts from Microsoft Defender for Containers

Remove the Defender sensor

Use Azure portal to remove the extension

Use Azure CLI to remove the Defender sensor

Use REST API to remove the Defender sensor

Remove the Defender sensor

Use REST API to remove the Defender sensor from AKS

Use Azure CLI to remove the Defender sensor

Use Azure Resource Manager to remove the Defender sensor from AKS

Next steps

Additional resources