|
| 1 | +--- |
| 2 | +title: Investigate and respond to container threats in the Microsoft Defender portal |
| 3 | +description: Investigate and respond to container attacks and threats with cloud investigation and response capabilities in the Microsoft Defender portal. |
| 4 | +ms.service: defender-xdr |
| 5 | +f1.keywords: |
| 6 | + - NOCSH |
| 7 | +ms.author: diannegali |
| 8 | +author: diannegali |
| 9 | +ms.localizationpriority: medium |
| 10 | +manager: deniseb |
| 11 | +audience: ITPro |
| 12 | +ms.collection: |
| 13 | + - m365-security |
| 14 | + - tier1 |
| 15 | +ms.topic: conceptual |
| 16 | +search.appverid: |
| 17 | + - MOE150 |
| 18 | + - MET150 |
| 19 | +ms.date: 11/18/2024 |
| 20 | +appliesto: |
| 21 | +- Microsoft Defender XDR |
| 22 | +--- |
| 23 | +# Investigate and respond to container threats in the Microsoft Defender portal |
| 24 | + |
| 25 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] |
| 26 | + |
| 27 | +> [!IMPORTANT] |
| 28 | +> Some information in this article relates to a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here |
| 29 | +
|
| 30 | +Security operations can now investigate and respond to container-related alerts in near real-time in the Microsoft Defender portal with the integration of cloud-native response actions and investigation logs to hunt for related activities. The availability of attack paths can also help analysts immediately investigate and address critical security issues to prevent a potential breach. |
| 31 | + |
| 32 | +Organizations often use containers to support their microservices, DevOps, and hybrid cloud setup. However, containers can also be targeted by threat actors and used for malicious purposes. |
| 33 | + |
| 34 | +Security operations center (SOC) analysts can now easily track container threats with near real-time alerts and immediately respond to these threats by isolating or terminating container pods. This integration allows analysts to instantly mitigate a container attack from their environment in a click. |
| 35 | + |
| 36 | +Analysts can then investigate the full scope of the attack with the ability to hunt for related activities within the incident graph. They can also further apply preventive actions with the availability of potential attack paths in the incident graph. Using the information from the attack paths allows security teams to inspect the paths and prevent possible breaches. In addition, Threat analytics reports specific to container threats and attacks are available for analysts to gain more information and apply recommendations for container attack response and prevention. |
| 37 | + |
| 38 | +## Prerequisites |
| 39 | + |
| 40 | +The following licenses are required to view and resolve container-related alerts in the Defender portal: |
| 41 | + |
| 42 | +- [Microsoft Defender for Containers enabled](/azure/defender-for-cloud/defender-for-containers-introduction) |
| 43 | +- Microsoft Defender XDR |
| 44 | + |
| 45 | +> [!Note] |
| 46 | +> The **isolate pod** response action requires a network policy enforcer. Check whether your Kubernetes cluster has a network policy installed. |
| 47 | +
|
| 48 | +Users on the [Microsoft Defender for Cloud Security Posture Management](/azure/defender-for-cloud/concept-cloud-security-posture-management) plan can view attack paths in the incident graph. |
| 49 | + |
| 50 | +Users with provisioned access to Microsoft Security Copilot can also take advantage of the guided responses delivered in the Microsoft Defender portal to investigate and remediate container threats. |
| 51 | + |
| 52 | +## Permissions |
| 53 | + |
| 54 | +To perform any of the response actions, users must have the following permissions for Microsoft Defender for Cloud in the Microsoft Defender XDR unified role-based access control: |
| 55 | + |
| 56 | +|Permission name|Level| |
| 57 | +|:---:|:---:| |
| 58 | +|Alerts|Manage| |
| 59 | +|Response|Manage| |
| 60 | + |
| 61 | +For more information on these permissions, see [Permissions in Microsoft Defender XDR Unified role-based access control (RBAC)](custom-permissions-details.md). |
0 commit comments