Merge pull request #203685 from ElazarK/simulate-alerts

simulate alerts

Author: ttorble

articles/defender-for-cloud/alert-validation.md

@@ -2,9 +2,7 @@
 title: Alert validation in Microsoft Defender for Cloud | Microsoft Docs
 description: Learn how to validate that your security alerts are correctly configured in Microsoft Defender for Cloud
 ms.topic: how-to
-ms.author: benmansheim
-author: bmansheim
-ms.date: 12/12/2021
+ms.date: 07/04/2022
 
 ---
 # Alert validation in Microsoft Defender for Cloud
@@ -18,7 +16,7 @@ For more information, see [Security alerts in Defender for Cloud](alerts-overvie
 
 ## Generate sample security alerts
 
-If you're using the new, preview alerts experience as described in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md), you can create sample alerts in a few clicks from the security alerts page in the Azure portal.
+If you're using the new, preview alerts experience as described in [Manage and respond to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md), you can create sample alerts from the security alerts page in the Azure portal.
 
 Use sample alerts to:
 
@@ -74,15 +72,72 @@ After the Log Analytics agent is installed on your machine, follow these steps f
 
 ## Simulate alerts on Kubernetes <a name="validate-kubernetes"></a>
 
-If you've integrated Azure Kubernetes Service with Defender for Cloud, you can test that your alerts are working with the following kubectl command:
+Defender for Containers provides security alerts for both your clusters and underlying cluster nodes. Defender for Containers accomplishes this by monitoring both the control plane (API server) and the containerized workload.
 
-`kubectl get pods --namespace=asc-alerttest-662jfi039n`
+You can tell if your alert is related to the control plan or the containerized workload based on its prefix. Control plane security alerts have a prefix of `K8S_`, while security alerts for runtime workload in the clusters have a prefix of `K8S.NODE_`.
 
-For more information about defending your Kubernetes nodes and clusters, see [Overview of Microsoft Defender for Containers](defender-for-containers-introduction.md)
+You can simulate alerts for both of the control plane, and workload alerts with the following steps.
+
+### Simulate control plane alerts (K8S_ prefix)
+
+**Prerequisites**
+
+- Ensure the Defender for Containers plan is enabled.
+- **ARC only** - Ensure the defender extension is installed.
+- **EKS or GKE only** - Ensure the default audit log collection auto-provisioning options are enabled.
+
+**To simulate a Kubernetes control plane security alert**: 
+
+1. Run the following command from the cluster: 
+
+    ```bash
+    kubectl get pods --namespace=asc-alerttest-662jfi039n
+    ```
+
+    You'll get the following response: `No resource found`.
+
+1. Wait 30 minutes.
+
+1. In the Azure portal, navigate to the Defender for Cloud's alerts page.
+
+1. On the relevant Kubernetes cluster, locate the following alert `Microsoft Defender for Cloud test alert for K8S (not a threat)` 
+
+### Simulate workload alerts (K8S.NODE_ prefix)
+
+**Prerequisites**
+
+- Ensure the Defender for Containers plan is enabled.
+- Ensure the Defender profile\extension is installed 
+
+**To simulate a a Kubernetes workload security alert**:
+ 
+1. Access one of the `azuredefender-publisher-<XXX>` pods deployed in your Kubernetes cluster.
+
+1. Run the following command from the cluster:
+
+    ```bash
+    kubectl exec -it azuredefender-publisher-xx-xxxxx -n <namespace> -- bash
+    ```
+
+    For AKS - `<namespace>` = `kube-system`<br>
+    For ARC - `<namespace>` = `mdc`
+
+1. Select an executable, copy it to a convenient location and rename it to `./asc_alerttest_662jfi039n`. For example:
+`cp /bin/echo ./asc_alerttest_662jfi039n`.
+
+1. Execute the file `./asc_alerttest_662jfi039n testing eicar pipe`.
+
+1. Wait 10 minutes.
+
+1. In the Azure portal, navigate to the Defender for Cloud's alerts page.
+
+1. On the relevant AKS cluster, locate the following alert `Microsoft Defender for Cloud test alert (not a threat)`.
+
+You can also learn more about defending your Kubernetes nodes and clusters with [Microsoft Defender for Containers](defender-for-containers-introduction.md).
 
 ## Next steps
 This article introduced you to the alerts validation process. Now that you're familiar with this validation, try the following articles:
 
-* [Validating Azure Key Vault threat detection in Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/azure-security-center/validating-azure-key-vault-threat-detection-in-azure-security/ba-p/1220336)
-* [Managing and responding to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md) - Learn how to manage alerts, and respond to security incidents in Defender for Cloud.
-* [Understanding security alerts in Microsoft Defender for Cloud](./alerts-overview.md) - Learn about the different types of security alerts.
+- [Validating Azure Key Vault threat detection in Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/azure-security-center/validating-azure-key-vault-threat-detection-in-azure-security/ba-p/1220336)
+- [Managing and responding to security alerts in Microsoft Defender for Cloud](managing-and-responding-alerts.md) - Learn how to manage alerts, and respond to security incidents in Defender for Cloud.
+- [Understanding security alerts in Microsoft Defender for Cloud](./alerts-overview.md)