🛡️ Azure Subscription Microsoft Defender For Containers is not set to On🟢

• Contextual name: 🛡️ Microsoft Defender For Containers is not set to On🟢
• ID: /ce/ca/azure/subscription/microsoft-defender-for-containers
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Subscription
  • 🔌 Azure Defender Plan - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Microsoft Defender for Cloud for Azure Containers
• Internal: dec-x-9f7d853f

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-9f7d853f	1

Description

Open File

Description

Microsoft Defender for Containers helps improve, monitor, and maintain the security of containerized assets—including Kubernetes clusters, nodes, workloads, container registries, and images—across multi-cloud and on-premises environments.

By default, when enabling the plan through the Azure Portal, Microsoft Defender for Containers automatically configures the following components:

• Agentless scanning for machines
• Defender sensor for runtime protection
• Azure Policy for enforcing security best practices
• K8S API access for monitoring and threat detection
• Registry access for vulnerability assessment

Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').

Rationale

Enabling Microsoft Defender for Containers enhances defense-in-depth by providing advanced threat detection, vulnerability assessment, and security monitoring for containerized environments, leveraging insights from the Microsoft Security Response Center (MSRC).

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to Microsoft Defender for Cloud.
2. Under Management, select Environment Settings.
3. Click on the subscription name.
4. Under Settings, click Defender plans.
5. Under Cloud Workload Protection (CWP), in the row for Containers, click On in the Status column.
6. If Monitoring coverage displays Partial, click Settings under Partial.
7. Set the status of each of the components to On.
8. Click Continue.
9. Click Save.
10. Repeat steps 1-9 for each subscription.

From Azure CLI

Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').

Run the below command to enable the Microsoft Defender for Containers plan and its components:

az security pricing create -n 'Containers' --tier 'standard' --extensions name=ContainerRegistriesVulnerabilityAssessments isEnabled=True --extensions name=AgentlessDiscoveryForKubernetes isEnabled=True --extensions name=AgentlessVmScanning isEnabled=True --extensions name=ContainerSensor isEnabled=True

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 16a vulnerability and threat management;		10	10		no data
💼 APRA CPG 234 → 💼 16e security testing, including penetration testing;		9	9		no data
💼 APRA CPG 234 → 💼 36g vulnerability management controls — which identify and address information security vulnerabilities in a timely manner;		10	10		no data
💼 APRA CPG 234 → 💼 36k response controls — to manage information security incidents and feedback mechanisms to address control deficiencies;		9	9		no data
💼 APRA CPG 234 → 💼 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;		10	10		no data
💼 APRA CPG 234 → 💼 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access		10	10		no data
💼 APRA CPG 234 → 💼 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);		9	9		no data
💼 APRA CPG 234 → 💼 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term ‘potential’ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.		9	9		no data
💼 APRA CPG 234 → 💼 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);		9	9		no data
💼 APRA CPG 234 → 💼 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.		9	9		no data
💼 APRA CPG 234 → 💼 73a detection of an information security event through the use of automated sensors and manual review;		9	9		no data
💼 APRA CPG 234 → 💼 73b identification and analysis to determine if it is an incident or an event;		9	9		no data
💼 APRA CPG 234 → 💼 73d containment to minimise the damage caused, and reduce the possibility of further damage;		9	9		no data
💼 APRA CPG 234 → 💼 73e eradication which involves the removal of the source of the information security compromise (typically malware);		9	9		no data
💼 CIS Azure v1.3.0 → 💼 2.7 Ensure that Azure Defender is set to On for Container Registries - Level 2 (Manual)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 2.7 Ensure that Microsoft Defender for Container Registries is set to 'On' - Level 2 (Manual)		1	1		no data
💼 CIS Azure v5.0.0 → 💼 8.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On' (Automated)			1		no data
💼 Cloudaware Framework → 💼 Microsoft Defender Configuration			29		no data
💼 FedRAMP High Security Controls → 💼 IR-6(1) Automated Reporting (M)(H)		8	10		no data
💼 FedRAMP High Security Controls → 💼 RA-3 Risk Assessment (L)(M)(H)	1	7	7		no data
💼 FedRAMP High Security Controls → 💼 RA-5 Vulnerability Monitoring and Scanning (L)(M)(H)	6	7	8		no data
💼 FedRAMP High Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2	7	19		no data
💼 FedRAMP High Security Controls → 💼 SI-3 Malicious Code Protection (L)(M)(H)		7	7		no data
💼 FedRAMP Low Security Controls → 💼 RA-3 Risk Assessment (L)(M)(H)	1		7		no data
💼 FedRAMP Low Security Controls → 💼 RA-5 Vulnerability Monitoring and Scanning (L)(M)(H)	2		8		no data
💼 FedRAMP Low Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)			19		no data
💼 FedRAMP Low Security Controls → 💼 SI-3 Malicious Code Protection (L)(M)(H)			7		no data
💼 FedRAMP Moderate Security Controls → 💼 IR-6(1) Automated Reporting (M)(H)			10		no data
💼 FedRAMP Moderate Security Controls → 💼 RA-3 Risk Assessment (L)(M)(H)	1		7		no data
💼 FedRAMP Moderate Security Controls → 💼 RA-5 Vulnerability Monitoring and Scanning (L)(M)(H)	4		8		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-2 Flaw Remediation (L)(M)(H)	2		19		no data
💼 FedRAMP Moderate Security Controls → 💼 SI-3 Malicious Code Protection (L)(M)(H)			7		no data
💼 ISO/IEC 27001:2013 → 💼 A.12.2.1 Controls against malware		7	7		no data
💼 ISO/IEC 27001:2013 → 💼 A.12.6.1 Management of technical vulnerabilities		7	7		no data
💼 ISO/IEC 27001:2022 → 💼 8.8 Management of technical vulnerabilities		8	10		no data
💼 NIST CSF v1.1 → 💼 DE.AE-4: Impact of events is determined		13	14		no data
💼 NIST CSF v1.1 → 💼 DE.CM-4: Malicious code is detected		7	7		no data
💼 NIST CSF v1.1 → 💼 DE.CM-8: Vulnerability scans are performed		7	7		no data
💼 NIST CSF v1.1 → 💼 DE.DP-3: Detection processes are tested		13	14		no data
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		29	33		no data
💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved		13	16		no data
💼 NIST CSF v1.1 → 💼 ID.RA-1: Asset vulnerabilities are identified and documented		13	16		no data
💼 NIST CSF v1.1 → 💼 ID.RA-3: Threats, both internal and external, are identified and documented		7	7		no data
💼 NIST CSF v1.1 → 💼 ID.RA-4: Potential business impacts and likelihoods are identified		7	7		no data
💼 NIST CSF v1.1 → 💼 ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk		7	7		no data
💼 NIST CSF v1.1 → 💼 ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process		7	7		no data
💼 NIST CSF v1.1 → 💼 PR.AT-1: All users are informed and trained		7	7		no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27		no data
💼 NIST CSF v1.1 → 💼 PR.IP-12: A vulnerability management plan is developed and implemented		7	9		no data
💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans		16	18		no data
💼 NIST CSF v1.1 → 💼 RS.MI-1: Incidents are contained		7	7		no data
💼 NIST CSF v1.1 → 💼 RS.MI-2: Incidents are mitigated		7	7		no data
💼 NIST CSF v1.1 → 💼 RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks		7	7		no data
💼 NIST CSF v2.0 → 💼 DE.AE-04: The estimated impact and scope of adverse events are understood			14		no data
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			170		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			170		no data
💼 NIST CSF v2.0 → 💼 GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered			7		no data
💼 NIST CSF v2.0 → 💼 GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes			10		no data
💼 NIST CSF v2.0 → 💼 GV.SC-04: Suppliers are known and prioritized by criticality			7		no data
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship			26		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			51		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			52		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			41		no data
💼 NIST CSF v2.0 → 💼 ID.RA-03: Internal and external threats to the organization are identified and recorded			7		no data
💼 NIST CSF v2.0 → 💼 ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded			7		no data
💼 NIST CSF v2.0 → 💼 ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization			7		no data
💼 NIST CSF v2.0 → 💼 ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated			7		no data
💼 NIST CSF v2.0 → 💼 ID.RA-10: Critical suppliers are assessed prior to acquisition			26		no data
💼 NIST CSF v2.0 → 💼 PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind			8		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			180		no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			31		no data
💼 NIST CSF v2.0 → 💼 RS.CO-03: Information is shared with designated internal and external stakeholders			19		no data
💼 NIST CSF v2.0 → 💼 RS.MI-01: Incidents are contained			7		no data
💼 NIST CSF v2.0 → 💼 RS.MI-02: Incidents are eradicated			7		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		19	21		no data
💼 PCI DSS v3.2.1 → 💼 5.1 Deploy anti-virus software on all systems commonly affected by malicious software.	2	4	4		no data
💼 PCI DSS v3.2.1 → 💼 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.		1	13		no data
💼 PCI DSS v4.0.1 → 💼 5.2.1 An anti-malware solution(s) is deployed on all system components.			4		no data
💼 PCI DSS v4.0.1 → 💼 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.	1		13		no data
💼 PCI DSS v4.0.1 → 💼 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.			13		no data
💼 PCI DSS v4.0.1 → 💼 11.6.1 A change- and tamper-detection mechanism is deployed.			13		no data
💼 PCI DSS v4.0 → 💼 5.2.1 An anti-malware solution(s) is deployed on all system components.		4	4		no data
💼 PCI DSS v4.0 → 💼 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.	1	8	13		no data
💼 PCI DSS v4.0 → 💼 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.		8	13		no data
💼 PCI DSS v4.0 → 💼 11.6.1 A change- and tamper-detection mechanism is deployed.			13		no data
💼 SOC 2 → 💼 CC7.2-3 Implements Filters to Analyze Anomalies		9	18		no data