This chapter covers container security and Kubernetes threat detection, a critical domain for the SC-200 exam (Objective 3.2: Configure and manage threat detection in cloud workloads). Approximately 10-15% of exam questions touch on cloud workload protection, with container security forming a significant subset. You will learn how Microsoft Defender for Cloud protects Kubernetes clusters, how to enable advanced threat detection for AKS, and how to investigate container-related security incidents using Microsoft Sentinel. The chapter emphasizes practical configuration steps, detection mechanisms, and incident response workflows specific to containerized environments.
Jump to a section
Think of a modern shipping port. Containers (container images) arrive from various sources, each packed with cargo (application code and dependencies). The port authority (Kubernetes control plane) must inspect every container for dangerous goods (vulnerabilities, malware) before allowing it onto the dock. Once cleared, containers are stacked in a yard (image registry) and later loaded onto ships (nodes) by cranes (kubelet). Each ship has a manifest (Pod spec) listing which containers go where. While at sea, the ship's crew (node-level security agents) monitor for leaks (runtime anomalies) and can jettison compromised containers overboard (kill Pods). The port also has security cameras (audit logs) recording every crane movement and crew action. If a container is later found to contain hazardous material, the port can recall all ships carrying that container (image vulnerability alert triggers Pod restart). This analogy maps directly to Kubernetes security: image scanning at admission (Gatekeeper/OPA), runtime detection (Falco, Microsoft Defender for Containers), and audit logging through Azure Policy and Azure Kubernetes Service (AKS) diagnostics.
What is Container Security and Why Does It Matter?
Container security encompasses the practices and tools used to protect containerized applications throughout their lifecycle: from image creation and registry storage to deployment, runtime, and eventual retirement. Containers share the host kernel, so a single compromised container can lead to host takeover or lateral movement across the cluster. Kubernetes orchestrates containers, adding complexity with its control plane, etcd, and network policies. The SC-200 exam focuses on Microsoft's security solutions for Azure Kubernetes Service (AKS), including Microsoft Defender for Containers, Azure Policy for Kubernetes, and integration with Microsoft Sentinel.
How Microsoft Defender for Containers Works
Microsoft Defender for Containers is a cloud-native solution that provides threat detection for AKS clusters and container registries. It consists of two main components:
Defender for Cloud (formerly Azure Security Center) provides vulnerability assessment, security recommendations, and threat alerts.
Defender for Containers plan (part of Defender for Cloud) enables advanced threat detection for Kubernetes clusters, including runtime threat detection, host-level detection, and Kubernetes audit log analysis.
When you enable the Defender for Containers plan on a subscription, Defender for Cloud automatically deploys two agents to each AKS node:
Azure Policy for Kubernetes (via the Azure Policy add-on) enforces security policies such as restricting privileged containers or ensuring read-only root filesystems.
Defender profile (a DaemonSet) provides runtime threat detection by monitoring host and container activities. It uses eBPF (extended Berkeley Packet Filter) technology to collect kernel-level events without modifying container images.
Key Components and Defaults
Defender profile DaemonSet: Deployed as microsoft-defender-collector in the kube-system namespace. It collects auditd events, process execution, file system changes, and network connections.
Azure Policy for Kubernetes: Enforces built-in policies like "Kubernetes clusters should not allow privileged containers" (policy ID: 9e6f1a0b-...). Over 50 built-in policies are available.
Kubernetes audit logs: Enabled by default when you create an AKS cluster with Azure Monitor. These logs record all API server requests and are forwarded to Log Analytics workspaces.
Threat alerts: Defender for Cloud generates alerts based on MITRE ATT&CK® tactics. Examples include "Privileged container detected" (alert ID: K8S.PrivilegedContainer) and "Kubernetes API server exposed to internet" (alert ID: K8S.ApiServerExposed).
Configuration Steps
To enable Defender for Containers on an existing AKS cluster:
az aks enable-addons --addons azure-policy --name <cluster-name> --resource-group <rg>
az aks update --name <cluster-name> --resource-group <rg> --enable-defenderFor new clusters, you can enable both during creation:
az aks create --name <cluster-name> --resource-group <rg> --enable-addons azure-policy --enable-defenderAfter enabling, verify the DaemonSet is running:
kubectl get daemonset -n kube-system | grep defenderHow Runtime Threat Detection Works
The Defender profile uses eBPF to hook system calls such as execve, open, connect, and bind. When a suspicious event occurs (e.g., a container executes curl to an external IP), the agent:
Captures the event with metadata (container ID, process ID, user, command line).
Enriches the event with Kubernetes context (Pod name, namespace, labels) by querying the kubelet API.
Evaluates the event against detection rules defined in the Defender profile (e.g., rules for cryptomining, reverse shell, credential theft).
If a match occurs, sends an alert to Defender for Cloud with severity (High, Medium, Low).
The alert appears in the Azure portal under Security Alerts, and can be forwarded to Microsoft Sentinel for investigation.
Interaction with Azure Policy for Kubernetes
Azure Policy for Kubernetes uses Gatekeeper (an admission controller webhook) to enforce policies on resources at creation time. For example, a policy might require all containers to run as non-root. When a user attempts to create a Pod that violates the policy, the API server rejects the request with a message explaining the violation. This prevents insecure configurations from ever being deployed.
Vulnerability Assessment for Container Images
Defender for Containers also integrates with Azure Container Registry (ACR) to scan images for vulnerabilities. The scan occurs on every push to the registry and is triggered again when new vulnerabilities are disclosed (e.g., a new CVE). The scan results are reported as recommendations in Defender for Cloud, such as "Container images should be scanned for vulnerabilities" (recommendation ID: 6a3e6e5b-...).
Investigating Incidents with Microsoft Sentinel
Microsoft Sentinel supports Kubernetes data connectors for:
Azure Kubernetes Service (AKS) audit logs – streams all API server logs to Sentinel.
Microsoft Defender for Cloud alerts – ingests security alerts from Defender for Containers.
Syslog from AKS nodes – if you configure custom logging.
Sentinel provides built-in analytics rules for Kubernetes threats, such as "Kubernetes API server activity from unexpected IP" or "Cluster role binding modified to grant admin access". You can also create custom hunting queries using KQL (Kusto Query Language).
Example KQL query to find privileged containers:
KubeEvents
| where EventType == "PodCreated"
| extend PodName = tostring(parse_json(EventObject).metadata.name)
| where EventObject has "privileged: true"Key Exam Numbers and Values
Default audit log retention: 30 days in Log Analytics, extendable to 730 days (2 years).
Defender for Containers pricing: $0.01 per vCPU per hour (as of 2025).
Number of built-in Azure Policy for Kubernetes policies: 50+.
eBPF: The technology used for runtime monitoring; no kernel module installation required.
MITRE ATT&CK tactics covered: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact.
Common Exam Traps
Trap 1: Confusing Defender for Cloud with Azure Security Center (ASC). ASC is the predecessor; Defender for Cloud is the current name. The exam uses "Microsoft Defender for Cloud".
Trap 2: Assuming Azure Policy for Kubernetes is automatically enabled. It requires explicit enablement via --enable-addons azure-policy.
Trap 3: Thinking that Defender for Containers protects only AKS clusters. It also protects Azure Container Instances (ACI) and on-premises Kubernetes clusters via Arc-enabled Kubernetes.
Trap 4: Believing that vulnerability scanning is real-time. Scanning occurs on push and periodically (every 24 hours) but is not continuous.
Trap 5: Forgetting that Defender profile requires outbound internet access to send alerts. If the cluster is private, you need a firewall or proxy with appropriate endpoints.
Summary of Detection Capabilities
| Detection Type | Data Source | Example Alert | |----------------|-------------|---------------| | Image vulnerability | ACR scan | "Container image has critical vulnerabilities" | | Runtime threat | eBPF events (host/container) | "Crypto miner detected in container" | | Kubernetes audit | API server logs | "Suspicious kubectl exec to Pod" | | Host-level threat | Defender for Cloud (Azure VM) | "SSH brute force from compromised node" |
Enable Defender for Containers on AKS
First, ensure the subscription is onboarded to Microsoft Defender for Cloud with the Defender for Containers plan enabled. Use Azure CLI: `az aks enable-addons --addons azure-policy --name <cluster> --resource-group <rg>` to install Azure Policy for Kubernetes. Then run `az aks update --name <cluster> --resource-group <rg> --enable-defender` to deploy the Defender profile DaemonSet. This step triggers the automatic installation of agents on all nodes. Verify with `kubectl get pods -n kube-system -l app=defender`.
Configure Azure Policy for Kubernetes
Navigate to Azure Policy in the portal, select the initiative "Kubernetes cluster pod security baseline" (or custom policies). Assign to the AKS cluster resource group. Policies are enforced via Gatekeeper admission controller. For example, assign policy "Kubernetes clusters should not allow privileged containers" to prevent privilege escalation. The policy will reject any Pod creation that sets `privileged: true`. Monitor compliance in the Azure Policy Compliance dashboard.
Enable audit logs and forward to Sentinel
In the AKS cluster, enable diagnostic settings to stream audit logs to a Log Analytics workspace (or directly to Sentinel). In Azure portal, go to AKS > Monitoring > Diagnostic settings. Add a setting for `kube-audit` and `kube-audit-admin` logs. Send to Log Analytics workspace used by Sentinel. This enables real-time monitoring of API server activities such as role binding changes, secret access, and Pod creation.
Review security alerts in Defender for Cloud
Open Microsoft Defender for Cloud, select Security Alerts. Filter by resource type "Kubernetes Service" to see container-specific alerts. Each alert includes severity, affected Pod/node, and MITRE tactic. For example, alert "Privileged container detected" (High severity) indicates a container running with elevated permissions. Click the alert to view details: command line, container ID, and recommendation to remove privileges.
Investigate an incident in Microsoft Sentinel
In Sentinel, create an incident from a Defender alert. Use the investigation graph to visualize relationships between entities (Pod, node, user, IP). Run KQL queries like `SecurityAlert | where AlertName contains "Kubernetes"` to list all container-related alerts. Use the `KubeEvents` table to correlate with audit logs. For example, find all Pods that executed a reverse shell by searching for `exec` commands to suspicious IPs. Document findings and create a playbook to automatically isolate compromised Pods using Azure Functions.
Scenario 1: Fintech Company Securing AKS for PCI Compliance
A fintech company runs a payment processing application on AKS. They must comply with PCI DSS, which requires vulnerability scanning, access control, and audit logging. They enable Defender for Containers and assign Azure Policy to enforce that all containers run as non-root and have read-only root filesystems. They configure a custom Azure Policy to reject images from untrusted registries. Vulnerability scans on ACR catch a critical CVE in a base image; the alert triggers an automatic pipeline that rebuilds the image and redeploys all affected Pods. In production, they have 50 nodes and 500 Pods; the Defender profile consumes less than 5% CPU overhead per node. They also stream audit logs to Sentinel and create an analytics rule that alerts when a cluster role binding grants cluster-admin to a service account. One incident: an attacker compromised a developer's credentials and created a privileged Pod to mine cryptocurrency. Defender detected the cryptomining behavior within 2 minutes and sent a high-severity alert. The security team used Sentinel to trace the attacker's actions and revoked the compromised credentials.
Scenario 2: E-commerce Company with Multi-Cluster Environment
A large e-commerce company runs 20 AKS clusters across multiple regions. They use Azure Arc to unify security management. They enable Defender for Containers on all clusters via Azure Policy at the management group level. They use Azure Policy to enforce network policies (Calico) that restrict egress traffic to only approved external IPs. They also deploy a custom Falco rule to detect when a container spawns a shell (e.g., sh or bash). They integrate Sentinel with all clusters and use a single Log Analytics workspace. Performance: each cluster has 100-200 nodes; the Defender profile uses 50MB memory per node. They faced a misconfiguration where the Defender profile was missing from one cluster because the AKS update command failed silently. They caught it by running a custom Azure Monitor alert that checks for the DaemonSet's desired vs. current count. The fix: re-run az aks update --enable-defender.
Scenario 3: Healthcare Provider with Regulatory Requirements
A healthcare provider stores patient data in an AKS cluster. They must comply with HIPAA, which requires encryption at rest and in transit. They enable Defender for Containers and also use Azure Policy to enforce that secrets are mounted from Azure Key Vault via CSI driver, not as environment variables. They configure audit logs to be retained for 1 year (365 days) by extending Log Analytics retention to 730 days. They use Sentinel to create a custom hunting query that detects any access to a Pod containing patient data (labeled with data-classification=phi). They also enable network policy to deny all ingress except from a specific application gateway. One incident: a developer accidentally exposed a Kubernetes dashboard via a LoadBalancer service. Defender alerted "Kubernetes dashboard exposed to internet" within minutes. The team deleted the service and applied a network policy to block public access.
What SC-200 Tests on Container Security
Exam objective 3.2: Configure and manage threat detection in cloud workloads. Sub-objectives include:
Enable Microsoft Defender for Cloud for containers (including AKS, ACI, Arc-enabled Kubernetes).
Configure Azure Policy for Kubernetes to enforce security baselines.
Investigate container security incidents using Microsoft Sentinel.
Interpret security alerts from Defender for Containers.
Top Wrong Answers and Why Candidates Choose Them
Wrong answer: "Azure Security Center (ASC) is the tool to enable for container protection." Why chosen: ASC was the old name; candidates who studied older materials pick this. Reality: The current name is Microsoft Defender for Cloud. ASC is deprecated.
Wrong answer: "You need to install the Log Analytics agent on AKS nodes for runtime detection." Why chosen: Many assume all monitoring requires MMA/AMA. Reality: Defender profile uses eBPF; no Log Analytics agent needed for runtime detection (though MMA is used for host-level alerts in hybrid scenarios).
Wrong answer: "Azure Policy for Kubernetes is automatically enabled when you create an AKS cluster." Why chosen: Candidates think all security features are default. Reality: You must explicitly enable it via --enable-addons azure-policy.
Wrong answer: "Defender for Containers only monitors AKS clusters." Why chosen: Candidates overlook Arc-enabled Kubernetes. Reality: It also protects ACI and clusters managed via Azure Arc.
Specific Numbers and Terms on the Exam
eBPF (extended Berkeley Packet Filter) is the technology used for runtime monitoring. Memorize that it requires no kernel module.
DaemonSet name: microsoft-defender-collector.
Pricing: $0.01 per vCPU per hour (for Defender for Containers plan).
Audit log retention: 30 days default, up to 730 days in Log Analytics.
Number of built-in policies: 50+.
MITRE ATT&CK tactics: The exam may ask which tactic a specific alert maps to (e.g., "Privileged container" maps to Privilege Escalation).
Edge Cases and Exceptions
Private clusters: If AKS cluster has no outbound internet, you must configure a firewall with the required endpoints (e.g., *.ods.opinsights.azure.com, *.oms.opinsights.azure.com). The exam may present a scenario where Defender profile fails to report because of missing egress.
Windows nodes: Defender for Containers supports Linux nodes only. Windows nodes are not monitored for runtime threats. The exam might test this limitation.
Multiple clusters: You can enable Defender for Containers at the subscription level to cover all existing and future clusters.
How to Eliminate Wrong Answers
Understand the mechanism: If a question asks about runtime detection, eliminate any answer mentioning image scanning or admission control. Runtime detection is based on eBPF events.
Know the agent: The Defender profile is a DaemonSet, not a sidecar. Eliminate answers that suggest installing an agent per Pod.
Default vs. manual: If a question implies a feature is automatic, check if it requires explicit enablement. Azure Policy and Defender profile are opt-in.
Scope: Defender for Containers covers AKS, ACI, and Arc-enabled Kubernetes. Eliminate answers that limit it to AKS only.
Microsoft Defender for Containers protects AKS, ACI, and Arc-enabled Kubernetes clusters.
Enable Defender for Containers via 'az aks update --enable-defender' or through the Azure portal.
Azure Policy for Kubernetes must be explicitly enabled with '--enable-addons azure-policy'.
Runtime threat detection uses eBPF and is deployed as a DaemonSet named 'microsoft-defender-collector'.
Audit logs are enabled via diagnostic settings and sent to Log Analytics for Sentinel integration.
Vulnerability scanning occurs on image push and every 24 hours; not real-time.
Defender for Containers does not support Windows nodes for runtime detection.
Private clusters require firewall rules to allow outbound traffic to Defender endpoints.
Common exam traps include confusing Defender for Cloud with ASC, and assuming features are automatic.
MITRE ATT&CK tactics are used to classify alerts; know the mapping for key alerts.
These come up on the exam all the time. Here's how to tell them apart.
Defender for Containers (Microsoft)
Managed service integrated with Azure; no infrastructure to maintain.
Uses eBPF for runtime detection; no kernel module.
Alerts appear in Defender for Cloud and can be forwarded to Sentinel.
Includes vulnerability scanning for images in ACR.
Priced per vCPU per hour ($0.01).
Falco (Open Source)
Open source; requires self-managed deployment (DaemonSet).
Uses kernel module (falco-probe) or eBPF (modern Falco).
Outputs to syslog, file, or gRPC; can be integrated with SIEM via syslog.
No built-in image scanning; must integrate with Trivy or Clair separately.
Free; no licensing cost, but operational overhead.
Mistake
Defender for Containers requires the Log Analytics agent (MMA) on AKS nodes.
Correct
No. The Defender profile uses eBPF for runtime detection and does not require MMA. However, MMA is used for host-level detection if you also enable Defender for Servers on the nodes.
Mistake
Azure Policy for Kubernetes is automatically enabled when you enable Defender for Cloud.
Correct
False. You must explicitly enable the Azure Policy add-on using `az aks enable-addons --addons azure-policy`. Defender for Cloud and Azure Policy are separate features.
Mistake
Vulnerability scanning of container images happens in real-time every few minutes.
Correct
Scanning occurs on push to the registry and then every 24 hours. It is not continuous or real-time.
Mistake
Defender for Containers protects all Kubernetes distributions, including self-managed clusters.
Correct
It protects AKS, ACI, and Kubernetes clusters connected via Azure Arc. Self-managed clusters not connected via Arc are not supported.
Mistake
If a container is compromised, you must manually delete it using kubectl.
Correct
You can automate response using Microsoft Sentinel playbooks or Azure Policy remediation tasks. For example, a playbook can automatically scale the deployment to zero or delete the Pod.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Run `az aks update --name <cluster> --resource-group <rg> --enable-defender` in Azure CLI. This deploys the Defender profile DaemonSet. Also enable Azure Policy for Kubernetes with `az aks enable-addons --addons azure-policy` for admission control. Verify the DaemonSet is running with `kubectl get daemonset -n kube-system | grep defender`. For new clusters, use `az aks create --enable-defender --enable-addons azure-policy`.
Defender for Cloud is the overall security platform (formerly Azure Security Center). Defender for Containers is a plan within Defender for Cloud that provides threat detection specifically for container environments (AKS, ACI, Arc-enabled Kubernetes). Enabling the Defender for Containers plan activates the container-specific features, while Defender for Cloud also includes other plans like Defender for Servers, Defender for SQL, etc.
Yes. The Defender profile monitors for known cryptomining behavior, such as high CPU usage combined with network connections to mining pools, or execution of common mining software (e.g., 'xmrig'). When detected, it generates a high-severity alert like 'Crypto miner detected in container' with the affected Pod and container ID. You can then investigate in Sentinel and take automated action via playbooks.
First, ensure your AKS cluster has diagnostic settings enabled for 'kube-audit' and 'kube-audit-admin' logs, sending them to a Log Analytics workspace. Then, in Microsoft Sentinel, enable the 'Azure Kubernetes Service (AKS)' data connector. This will stream the logs into the 'KubeEvents' table in Sentinel. You can then query the table using KQL for security investigations.
Defender for Containers scans images in ACR on push and every 24 hours. If a critical vulnerability is found (e.g., CVE-2023-XXXX), a recommendation appears in Defender for Cloud: 'Container images should be scanned for vulnerabilities'. You can also configure a workflow automation (e.g., Azure Logic App) to trigger a rebuild of the image and redeploy all Pods using that image. The alert does not automatically block the image from running; you must enforce via Azure Policy or admission controller.
Yes, but you must ensure outbound internet access from the cluster to Microsoft Defender endpoints. For private clusters, configure Azure Firewall or a NAT gateway to allow traffic to *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.blob.core.windows.net (for image scanning). If egress is blocked, the Defender profile may fail to send alerts. The exam may test this by presenting a scenario where alerts are missing due to network restrictions.
As of 2025, the price is $0.01 per vCPU per hour for the Defender for Containers plan. This covers runtime threat detection, vulnerability scanning, and policy enforcement. There is no additional charge for Azure Policy for Kubernetes. For example, a cluster with 10 nodes of 4 vCPUs each would cost approximately $0.01 * 40 * 730 = $292 per month (assuming 730 hours/month).
You've just covered Container Security and Kubernetes Threat Detection — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?