Azure Defender for Kubernetes provides cluster-level threat protection by monitoring your Azure Kubernetes Service (AKS) managed services through the logs retrieved by AKS. Examples of security events that Azure Defender for Kubernetes monitors include exposed Kubernetes dashboards, creation of high privileged roles, and the creation of sensitive mounts.
| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | detect | partial | T1525 | Implant Container Image |
Comments
This control may alert on containers with sensitive volume mounts, unneeded privileges, or running an image with digital currency mining software.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | protect | partial | T1190 | Exploit Public-Facing Application |
Comments
This control may alert on publicly exposed Kubernetes services. This may provide context on services that should be patched or hardened for public access.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | detect | partial | T1068 | Exploitation for Privilege Escalation |
Comments
This control may alert on detection of new privileged containers and high privilege roles.
References
|
| azure_defender_for_kubernetes | Azure Defender for Kubernetes | detect | partial | T1070 | Indicator Removal on Host |
Comments
This control may alert on deletion of Kubernetes events. Attackers might delete those events for hiding their operations in the cluster. There is no relevant sub-technique for this control but the parent applies.
References
|