Merge pull request #248809 from dcurwin/wi-147392-agentless-discovery-aug20-2023

Agentless discovery for Kubernetes

Author: v-ccolin

articles/defender-for-cloud/concept-agentless-containers.md

@@ -28,29 +28,7 @@ All of these capabilities are available as part of the [Defender CSPM](concept-c
 
 ## Agentless discovery and visibility within Kubernetes components
 
-Agentless discovery for Kubernetes provides API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup.
-
-### How does agentless discovery for Kubernetes work?
-
-The discovery process is based on snapshots taken at intervals:
-
-:::image type="content" source="media/concept-agentless-containers/diagram-permissions-architecture.png" alt-text="Diagram of the permissions architecture." lightbox="media/concept-agentless-containers/diagram-permissions-architecture.png":::
-
-When you enable the agentless discovery for Kubernetes extension, the following process occurs:
-
-- **Create**: Defender for Cloud creates an identity in customer environments called CloudPosture/securityOperator/DefenderCSPMSecurityOperator.
-- **Assign**: Defender for Cloud assigns a built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope. The role contains the following permissions:
-
-  - AKS read (Microsoft.ContainerService/managedClusters/read)
-  - AKS Trusted Access with the following permissions:
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
-  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
-
-   Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
-
-- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
-- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
+Agentless discovery for Kubernetes provides API-based discovery of information about Kubernetes cluster architecture, workload objects, and setup. For more information, see [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes).
 
 ### What's the refresh interval?
 

articles/defender-for-cloud/defender-for-containers-introduction.md

@@ -5,21 +5,23 @@ ms.topic: overview
 author: dcurwin
 ms.author: dacurwin
 ms.custom: ignite-2022
-ms.date: 07/25/2023
+ms.date: 08/27/2023
 ---
 
 # Overview of Microsoft Defender for Containers
 
 Microsoft Defender for Containers is the cloud-native solution to improve, monitor, and maintain the security of your clusters, containers, and their applications.
 
-Defender for Containers assists you with the three core aspects of container security:
+Defender for Containers assists you with four core aspects of container security:
 
 - [**Environment hardening**](#hardening) - Defender for Containers protects your Kubernetes clusters whether they're running on Azure Kubernetes Service, Kubernetes on-premises/IaaS, or Amazon EKS. Defender for Containers continuously assesses clusters to provide visibility into misconfigurations and guidelines to help mitigate identified threats.
 
 - [**Vulnerability assessment**](#vulnerability-assessment) - Vulnerability assessment and management tools for images stored in Azure Container Registry and Elastic Container Registry
 
 - [**Run-time threat protection for nodes and clusters**](#run-time-protection-for-kubernetes-nodes-and-clusters) - Threat protection for clusters and nodes generates security alerts for suspicious activities.
 
+- [**Agentless discovery for Kubernetes**](#agentless-discovery-for-kubernetes) - Provides tools that give you visibility into your data plane components, generating security insights based on your Kubernetes and environment configuration and lets you hunt for risks.
+
 You can learn more by watching this video from the Defender for Cloud in the Field video series: [Microsoft Defender for Containers](episode-three.md).
 
 ## Microsoft Defender for Containers plan availability
@@ -92,7 +94,43 @@ Defender for Containers also includes host-level threat detection with over 60 K
 
 Defender for Cloud monitors the attack surface of multicloud Kubernetes deployments based on the [MITRE ATT&CK® matrix for Containers](https://www.microsoft.com/security/blog/2021/04/29/center-for-threat-informed-defense-teams-up-with-microsoft-partners-to-build-the-attck-for-containers-matrix/), a framework developed by the [Center for Threat-Informed Defense](https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/) in close partnership with Microsoft.
 
-## Learn More
+## Agentless discovery for Kubernetes
+
+Defender for containers uses [cloud security graph](concept-attack-path.md#what-is-cloud-security-graph) to collect in an agentless manner information about your Kubernetes clusters. This data can be queried via [Cloud Security Explorer](concept-attack-path.md#what-is-cloud-security-explorer) and used for:
+
+1. Kubernetes inventory: gain visibility into your Kubernetes clusters data plane components such as nodes, pods, and cron jobs.
+
+1. Security insights: predefined security situations relevant to Kubernetes components, such as “exposed to the internet”. For more information, see [Security insights](attack-path-reference.md#insights).
+
+1. Risk hunting: querying various risk cases, correlating predefined or custom security scenarios across fine-grained Kubernetes properties as well as Defender For Containers security insights.
+
+:::image type="content" source="media/defender-for-containers/risk-hunting.png" alt-text="Screenshot of risk hunting query." lightbox="media/defender-for-containers/risk-hunting.png":::
+
+### How does agentless discovery for Kubernetes work?
+
+The discovery process is based on snapshots taken at intervals:
+
+:::image type="content" source="media/concept-agentless-containers/diagram-permissions-architecture.png" alt-text="Diagram of the permissions architecture." lightbox="media/concept-agentless-containers/diagram-permissions-architecture.png":::
+
+When you enable the agentless discovery for Kubernetes extension, the following process occurs:
+
+- **Create**:
+  - If the extension is enabled from Defender CSPM, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderCSPMSecurityOperator`.
+  - If the extension is enabled from Defender for Containers, Defender for Cloud creates an identity in customer environments called `CloudPosture/securityOperator/DefenderForContainersSecurityOperator`.
+- **Assign**: Defender for Cloud assigns a built-in role called **Kubernetes Agentless Operator** to that identity on subscription scope. The role contains the following permissions:
+
+  - AKS read (Microsoft.ContainerService/managedClusters/read)
+  - AKS Trusted Access with the following permissions:
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
+  - Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
+
+   Learn more about [AKS Trusted Access](/azure/aks/trusted-access-feature).
+
+- **Discover**: Using the system assigned identity, Defender for Cloud performs a discovery of the AKS clusters in your environment using API calls to the API server of AKS.
+- **Bind**: Upon discovery of an AKS cluster, Defender for Cloud performs an AKS bind operation between the created identity and the Kubernetes role “Microsoft.Security/pricings/microsoft-defender-operator”. The role is visible via API and gives Defender for Cloud data plane read permission inside the cluster.
+
+## Learn more
 
 Learn more about Defender for Containers in the following blogs:
 

articles/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure.md

@@ -3,7 +3,7 @@ title: Vulnerability assessment for Azure powered by Qualys
 description: Learn how to use Defender for Containers to scan images in your Azure Container Registry to find vulnerabilities.
 author: dcurwin
 ms.author: dacurwin
-ms.date: 07/30/2023
+ms.date: 08/27/2023
 ms.topic: how-to
 ms.custom: ignite-2022, build-2023
 ---
@@ -116,7 +116,7 @@ When a finding matches the criteria you've defined in your disable rules, it doe
 - Disable findings with severity below medium
 - Disable findings that are nonpatchable
 - Disable findings with CVSS score below 6.5
-- Disable findings with specific text in the security check or category (for example, “RedHat”, “CentOS Security Update for sudo”)
+- Disable findings with specific text in the security check or category (for example: "RedHat" or "CentOS Security Update for sudo")
 
 > [!IMPORTANT]
 > To create a rule, you need permissions to edit a policy in Azure Policy.
@@ -152,7 +152,9 @@ To create a rule:
 
 Defender for Cloud gives its customers the ability to prioritize the remediation of vulnerabilities in images that are currently being used within their environment using the [Running container images should have vulnerability findings resolved-(powered by Qualys)](https://portal.azure.com/#view/Microsoft_Azure_Security_CloudNativeCompute/KubernetesRuntimeVisibilityRecommendationDetailsBlade/assessmentKey/41503391-efa5-47ee-9282-4eff6131462c/showSecurityCenterCommandBar~/false) recommendation.
 
-To provide findings for the recommendation, Defender for Cloud collects the inventory of your running containers that are collected by the Defender agent installed on your AKS clusters. Defender for Cloud correlates that inventory with the vulnerability assessment scan of images that are stored in ACR. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and provides vulnerability reports and remediation steps.
+To provide the findings for the recommendation, Defender for Cloud collects the inventory of your running containers that are collected by the [agentless container registry vulnerability assessment](agentless-container-registry-vulnerability-assessment.md) or the [Defender agent](tutorial-enable-containers-azure.md#deploy-the-defender-agent-in-azure). Defender for Cloud correlates that inventory with the vulnerability assessment scan of images that are stored in ACR. The recommendation shows your running containers with the vulnerabilities associated with the images that are used by each container and provides vulnerability reports and remediation steps.
+
+While Defender agent provides pod inventory every hour, the agentless container registry vulnerability assessment provides an update every six hours. If both extensions are enabled, the newest information is used.
 
 :::image type="content" source="media/defender-for-containers-vulnerability-assessment-azure/view-running-containers-vulnerability.png" alt-text="Screenshot of recommendations showing your running containers with the vulnerabilities associated with the images used by each container." lightbox="media/defender-for-containers-vulnerability-assessment-azure/view-running-containers-vulnerability.png":::
 

articles/defender-for-cloud/faq-defender-for-containers.yml

@@ -123,6 +123,11 @@ sections:
           - For the Docker v2 format, the manifest media type would be **application/vnd.docker.distribution.manifest.v1+json** or **application/vnd.docker.distribution.manifest.v2+json**, as documented [here](https://docs.docker.com/registry/spec/manifest-v2-2/).
           - For the OCI image format, the manifest media type would be **application/vnd.oci.image.manifest.v1+json**, and config media type **application/vnd.oci.image.config.v1+json**, as documented [here](https://specs.opencontainers.org/image-spec/media-types/).
 
+      - question: |
+          What's the agentless discovery for Kubernetes refresh interval?
+        answer: |
+          Agentless information in Defender for Containers is updated through a snapshot mechanism. It can take up to **6 hours** to see results in cloud security explorer.
+
 additionalContent: |
 
   ## Next steps

articles/defender-for-cloud/includes/defender-for-containers-enable-plan-aks.md

@@ -25,8 +25,10 @@ ms.date: 06/01/2023
 
     :::image type="content" source="../media/defender-for-containers-enable-plan-gke/container-components-on.png" alt-text="screenshot of turning on components." lightbox="../media/defender-for-containers-enable-plan-gke/container-components-on.png":::
 
-    > [!Note]
-    > When you turn off Defender for Containers, the components are set to off and are not deployed to any more containers but they are not removed from containers that they are already installed on.
+    > [!NOTE]
+    >
+    > - Defenders for Containers customers who joined before August 2023 and don't have Agentless discovery for Kubernetes enabled as part of DCSPM when they enabled the plan, must manually enable the Agentless discovery for Kubernetes extension within the Defender for Containers plan.
+    > - When you turn off Defender for Containers, the components are set to off and are not deployed to any more containers but they are not removed from containers that they are already installed on.
 
 By default, when enabling the plan through the Azure portal, [Microsoft Defender for Containers](../defender-for-containers-introduction.md) is configured to automatically install required components to provide the protections offered by plan, including the assignment of a default workspace.
 

articles/defender-for-cloud/media/defender-for-containers-enable-plan-gke/container-components-on.png

@@ -2,7 +2,7 @@
 title: Release notes
 description: This page is updated frequently with the latest updates in Defender for Cloud.
 ms.topic: overview
-ms.date: 08/22/2023
+ms.date: 08/27/2023
 ---
 
 # What's new in Microsoft Defender for Cloud?
@@ -26,12 +26,31 @@ Updates in August include:
 
 |Date |Update  |
 |----------|----------|
+| August 30 | [Defender For Containers: Agentless Discovery for Kubernetes](#defender-for-containers-agentless-discovery-for-kubernetes)|
 | August 22 | [Recommendation release: Microsoft Defender for Storage should be enabled with malware scanning and sensitive data threat detection](#recommendation-release-microsoft-defender-for-storage-should-be-enabled-with-malware-scanning-and-sensitive-data-threat-detection)
 | August 17 | [Extended properties in Defender for Cloud security alerts are masked from activity logs](#extended-properties-in-defender-for-cloud-security-alerts-are-masked-from-activity-logs)
 | August 15 | [Preview release of GCP support in Defender CSPM](#preview-release-of-gcp-support-in-defender-cspm)|
 | August 7 | [New security alerts in Defender for Servers Plan 2: Detecting potential attacks abusing Azure virtual machine extensions](#new-security-alerts-in-defender-for-servers-plan-2-detecting-potential-attacks-abusing-azure-virtual-machine-extensions)
 | August 1 | [Business model and pricing updates for Defender for Cloud plans](#business-model-and-pricing-updates-for-defender-for-cloud-plans) |
 
+### Defender For Containers: Agentless discovery for Kubernetes
+
+August 30, 2023
+
+We're excited to introduce to Defender For Containers: Agentless discovery for Kubernetes. This release marks a significant step forward in container security, empowering you with advanced insights and comprehensive inventory capabilities for Kubernetes environments. The new container offering is powered by the Defender for Cloud contextual security graph.  Here's what you can expect from this latest update:
+
+- Agentless Kubernetes discovery
+- Comprehensive inventory capabilities
+- Kubernetes-specific security insights
+- Enhanced risk hunting with Cloud Security Explorer
+
+Agentless discovery for Kubernetes is now available to all Defender For Containers customers. You can start using these advanced capabilities today. We encourage you to update your subscriptions to have the full set of extensions enabled, and benefit from the latest additions and features. Visit the **Environment and settings** pane of your Defender for Containers subscription to enable the extension. 
+
+> [!NOTE]
+> Enabling the latest additions won't incur new costs to active Defender for Containers customers.
+
+For more information, see [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes).
+
 ### Recommendation release: Microsoft Defender for Storage should be enabled with malware scanning and sensitive data threat detection
 
 August 22, 2023
@@ -42,9 +61,9 @@ A new recommendation in Defender for Storage has been released. This recommendat
 |--|--|
 | Microsoft Defender for Storage should be enabled with malware scanning and sensitive data threat detection | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes malware scanning and sensitive data threat detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. With a simple agentless setup at scale, when enabled at the subscription level, all existing and newly created storage accounts under that subscription will be automatically protected. You can also exclude specific storage accounts from protected subscriptions.|
 
-This new recommendation will replace the current recommendation `Microsoft Defender for Storage should be enabled` (assessment key 1be22853-8ed1-4005-9907-ddad64cb1417). However, this recommendation will still be available in Azure Government clouds. 
+This new recommendation will replace the current recommendation `Microsoft Defender for Storage should be enabled` (assessment key 1be22853-8ed1-4005-9907-ddad64cb1417). However, this recommendation will still be available in Azure Government clouds.
 
-Learn more about [Microsoft Defender for Storage](defender-for-storage-introduction.md). 
+Learn more about [Microsoft Defender for Storage](defender-for-storage-introduction.md).
 
 ### Extended properties in Defender for Cloud security alerts are masked from activity logs
 
@@ -914,6 +933,3 @@ The related [policy definition](https://portal.azure.com/#view/Microsoft_Azure_P
 ## Next steps
 
 For past changes to Defender for Cloud, see [Archive for what's new in Defender for Cloud?](release-notes-archive.md).
-
-
-

articles/defender-for-cloud/media/defender-for-containers/risk-hunting.png

@@ -4,7 +4,7 @@ description: Review support requirements for the Defender for Containers plan in
 ms.topic: limits-and-quotas
 author: dcurwin
 ms.author: dacurwin
-ms.date: 06/07/2023
+ms.date: 08/20/2023
 ms.custom: references_regions, ignite-2022
 ---
 
@@ -19,6 +19,7 @@ This article summarizes support information for the [Defender for Containers pla
 
 | Feature | Supported Resources | Linux release state | Windows release state   | Agentless/Agent-based | Pricing Tier | Azure clouds availability |
 |--|--|--|--|--|--|--|
+| [Agentless discovery for Kubernetes](defender-for-containers-introduction.md#agentless-discovery-for-kubernetes) | ACR, AKS | GA | GA | Agentless | Defender for Containers | Azure commercial clouds |
 | Compliance-Docker CIS | VM, Virtual Machine Scale Set | GA | - | Log Analytics agent | Defender for Servers Plan 2 | Commercial clouds<br><br> National clouds: Azure Government, Microsoft Azure operated by 21Vianet  |
 | [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) - registry scan [OS packages](#registries-and-images-support-for-azure---powered-by-qualys) | ACR, Private ACR | GA | Preview | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |
 | [Vulnerability assessment](defender-for-containers-vulnerability-assessment-azure.md) (powered by Qualys) -registry scan [language packages](#registries-and-images-support-for-azure---powered-by-qualys) | ACR, Private ACR | Preview | - | Agentless | Defender for Containers  | Commercial clouds<br><br> National clouds: Azure Government, Azure operated by 21Vianet |